background image

201

| Roles and Policies

Aruba Instant 6.5.0.0-4.3.0.0 | User Guide

Configuring Machine and User Authentication Roles

You can assign different rights to clients based on whether their hardware device supports machine
authentication. Machine authentication is only supported on Windows devices, so that this can be used to
distinguish between Windows devices and other devices such as iPads.

You can create any of the following types of rules:

l

Machine Auth only

role—This indicates a Windows machine with no user logged in. The device supports

machine authentication and has a valid RADIUS account, but a user has not yet logged in and
authenticated.

l

User Auth only

role—This indicates a known user or a non-Windows device. The device does not support

machine authentication or does not have a RADIUS account, but the user is logged in and authenticated.

When a device does both machine and user authentication, the user obtains the default role or the derived role
based on the RADIUS attribute.

You can configure machine authentication with role-based access control using the Instant UI or the CLI.

In the Instant UI

To configure machine authentication with role-based access control:

1. In the

Access

tab of the WLAN wizard (

New WLAN

or

Edit <WLAN-profile>

) or in the wired profile

configuration window (

New Wired Network

or

Edit Wired Network

), under

Roles

, create

Machine

auth only

and

User auth only

roles.

2. Configure access rules for these roles by selecting the role, and applying the rule. For more information

on configuring access rules, see

Configuring ACL Rules for Network Services on page 182

.

3. Select

Enforce Machine Authentication

and select the

Machine auth only

and

User auth only

roles.

4. Click

Finish

to apply these changes.

In the CLI

To configure machine and user authentication roles for a WLAN SSID:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only>

(Instant AP)(SSID Profile <name>)# end

(Instant AP)# commit apply

To configure machine and user authentication roles for a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user_only>

(Instant AP)(wired ap profile <name>)# end

(Instant AP)# commit apply

Configuring Derivation Rules

Instant allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user
role or a VLAN to the clients connecting to an SSID or a wired profile.

Understanding Role Assignment Rule

When an SSID or a wired profile is created, a default role for the clients connecting to this SSID or wired profile
is assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods.
The role assigned by some methods may take precedence over the roles assigned by the other methods.

Summary of Contents for IAP-103

Page 1: ...User Guide Aruba Instant 6 5 0 0 4 3 0 0 ...

Page 2: ...source licenses A complete machine readable copy of the source code corresponding to such code is available upon request This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company To obtain such source code send a check or money order in the amount of US 10 00 t...

Page 3: ...ng the Instant CLI 23 Automatic Retrieval of Configuration 27 Managed Mode Operations 27 Prerequisites 27 Configuring Managed Mode Parameters 28 Verifying the Configuration 29 Instant User Interface 31 Login Screen 31 Main Window 32 Initial Configuration Tasks 60 Configuring System Parameters 60 Changing Password 66 Customizing IAP Settings 68 Modifying the IAP Host Name 68 Configuring Zone Settin...

Page 4: ...Profiles 81 Configuring Fast Roaming for Wireless Clients 101 Configuring Modulation Rates on a WLAN SSID 104 Multi User MIMO 105 Management Frame Protection 106 Disabling Short Preamble for Wireless Client 106 Editing Status of a WLAN SSID Profile 106 Editing a WLAN SSID Profile 107 Deleting a WLAN SSID Profile 107 Wired Profiles 108 Configuring a Wired Profile 108 Assigning a Profile to Ethernet...

Page 5: ...e 167 Enabling 802 1X Supplicant Support 169 Configuring MAC Authentication for a Network Profile 170 Configuring MAC Authentication with 802 1X Authentication 172 Configuring MAC Authentication with Captive Portal Authentication 174 Configuring WISPr Authentication 175 Blacklisting Clients 176 Uploading Certificates 179 Roles and Policies 182 Firewall Policies 182 Content Filtering 195 Configurin...

Page 6: ...es on an IAP 254 Configuring Radio Settings 260 Deep Packet Inspection and Application Visibility 264 Deep Packet Inspection 264 Enabling Application Visibility 264 Application Visibility 265 Enabling URL Visibility 270 Configuring ACL Rules for Application and Application Categories 270 Configuring Web Policy Enforcement Service 273 Voice and Video 276 Wi Fi Multimedia Traffic Management 276 Medi...

Page 7: ...verview 334 Setting up Instant Mesh Network 335 Configuring Wired Bridging on Ethernet 0 for Mesh Point 335 Mobility and Client Management 337 Layer 3 Mobility Overview 337 Configuring L3 Mobility 338 Spectrum Monitor 340 Understanding Spectrum Data 340 Configuring Spectrum Monitors and Hybrid IAPs 346 IAP Maintenance 348 Upgrading an IAP 348 Backing up and Restoring IAP Configuration Data 351 Con...

Page 8: ...9 ClearPass Guest Setup 390 Configuring ClearPass Guest 390 Verifying ClearPass Guest Setup 394 Troubleshooting 394 IAP VPN Deployment Scenarios 396 Scenario 1 IPsec Single Datacenter Deployment with No Redundancy 397 Scenario 2 IPsec Single Datacenter with Multiple Controllers for Redundancy 401 Scenario 3 IPsec Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy 405...

Page 9: ...nt Quick Start Guide l Aruba Instant CLI Reference Guide l Aruba Instant MIB Reference Guide l Aruba Instant Syslog Messages Reference Guide l Aruba Instant Release Notes Conventions The following conventions are used throughout this manual to emphasize important concepts Style Type Description Italics This style is used to emphasize important terms and to mark the titles of books System items Thi...

Page 10: ...amples items within curly brackets and separated by a vertical bar represent the available choices Enter only one choice Do not type the curly brackets or bars Table 1 Typographical Conventions The following informational icons are used throughout this guide Indicates helpful suggestions pertinent information and important things to remember Indicates a risk of damage to your hardware or loss of d...

Page 11: ...d of life Information arubanetworks com support services end of life Security Incident Response Team SIRT Site arubanetworks com support services security bulletins Email sirt arubanetworks com Aruba Instant 6 5 0 0 4 3 0 0 User Guide About this Guide 11 ...

Page 12: ...nt is ideal for small customers or remote locations without requiring any on site IT administrator Instant consists of an IAP and a Virtual Controller VC The VC resides within one of the IAPs In an Instant deployment scenario only the first IAP needs to be configured After the first IAP is configured the other IAPs inherit all the required configuration information from the VC Instant continually ...

Page 13: ...f the new IAP new IAP will not come up and may reboot with the reason Image sync fail To recover from this condition upgrade the existing cluster to at least the minimum required version of the new IAP first and add the new IAP Aruba recommends that networks with more than 128 IAPs be designed as multiple smaller VC networks with Layer 3 mobility enabled between these networks Aruba IAPs are avail...

Page 14: ...ndard web based interface that allows you to configure and monitor a Wi Fi network Instant is accessible through a standard web browser from a remote management console or workstation and can be launched using the following browsers l Microsoft Internet Explorer 11 or earlier l Apple Safari 6 0 or later l Google Chrome 23 0 1271 95 or later l Mozilla Firefox 17 0 or later If the Instant UI is laun...

Page 15: ...y SNMP server with the location details of the VoIP caller Configuring Maximum Clients on SSID Radio Profiles The maximum number of clients allowed to connect to a WLAN SSID Radio profile can now be individually set using the Instant CLI Redirect Blocked HTTPS Websites to a Custom Page URL Instant 6 5 0 0 4 3 0 0 allows you to redirect blocked HTTPS websites to a custom page url by configuring the...

Page 16: ... IPv6 Support This release introduces support for IPv6 and enables the IAP to access control capabilities to clients firewall enhancements management of IAPs through a static IPV6 IP support for IPV6 RADIUS server Management Frame Protection An IEEE 802 11w standard that increases security by providing data confidentiality of management frames Table 5 New Features Support for New IAP Devices Insta...

Page 17: ...is l Compatible with IEEE 802 3at PoE and 802 3af PoE l Support for MCS8 and MCS9 l Centralized management configuration and upgrades l Integrated Bluetooth Low Energy BLE radio IAP 334 335 The IAP 330 Series IAP 334 335 wireless access points support IEEE 802 11ac standards for high performance WLAN and are equipped with two dual band radios which can provide network access and monitor the networ...

Page 18: ...llowing steps to connect an IAP to the power source l PoE switch Connect the Ethernet 0 Enet0 port of the IAP to the appropriate port on the PoE switch l PoE midspan Connect the Enet0 port of the IAP to the appropriate port on the PoE midspan l AC to DC power adapter Connect the 12V DC power jack socket to the AC to DC power adapter RAP 155P supports PSE for 802 3at powered device class 0 4 on one...

Page 19: ...g IAPs through AirWave Zero Touch Provisioning of IAPs Zero Touch Provisioning eliminates the traditional method of deploying and maintaining devices and allows you to provision new devices in your network automatically without manual intervention Following are the zero touch provisioning methods for Instant Aruba Activate is a cloud based service designed to enable more efficient deployment and m...

Page 20: ...network connection icon in the system tray The Wireless Network Connection window is displayed b Click the Instant network and then click Connect 4 If the Mac OS system is used a Click the AirPort icon A list of available Wi Fi networks is displayed b Click the instant network The Instant SSIDs are broadcast in 2 4 GHz only IAP Cluster IAPs in the same VLAN automatically find each other and form a...

Page 21: ...ba Activate server perform the following checks l The serial number or the MAC address of the IAP is registered in the Activate database l The IAP is operational and is able to connect to the Internet l IAP has received a DNS server address through DHCP or static configuration l IAP is able to configure time zone using a Network Time Proticol NTP server l The required firewall ports are open Most ...

Page 22: ...twork to connect to the Internet all browser requests are directed to the Instant UI For example if you enter www example com in the address bar you are directed to the Instant UI You can change the default login credentials after the first login Regulatory Domains The IEEE 802 11 b g n Wi Fi networks operate in the 2 4 GHz spectrum and IEEE 802 11a n operates in the 5 GHz spectrum The spectrum is...

Page 23: ...pported country codes If the IAP cluster consists of multiple IAP platforms the country codes supported by the master IAP is displayed for all other IAPs in the cluster Select a country code from the list and click OK The IAP operates in the selected country code domain Figure 2 Specifying a Country Code You can also view the list of supported country codes for the IAP RW variants using the show c...

Page 24: ...on Therefore Aruba recommends that you configure fewer changes at a time and apply the changes at regular intervals To apply and save the configuration changes at regular intervals execute the following command in the privileged EXEC mode Instant AP commit apply To apply the configuration changes to the cluster without saving the configuration execute the following command in the privileged EXEC m...

Page 25: ...attribute equals not equals starts with ends with contains operator value of no set role set vlan attribute equals not equals starts with ends with contains operator VLAN ID value of no set vlan attribute equals not equals starts with ends with contains operator value of no set vlan auth server name no auth server name Table 8 Sequence Sensitive Commands Banner and Loginsession Configuration using...

Page 26: ...val Instant AP config loginsession timeout val val can be any number of minutes from 5 to 60 or any number of seconds from 1 to 3600 You can also specify a timeout value of 0 to disable CLI session timeouts The users must re login to the IAP after the session times out The session does not time out when the value is set to 0 Aruba Instant 6 5 0 0 4 3 0 0 User Guide Setting up an IAP 26 ...

Page 27: ...wnload method After the initial configuration is applied to the IAPs the configuration can be changed at any point You can configure a polling mechanism to fetch the latest configuration by using an FTP or FTPS client periodically If the remote configuration is different from the one running on the IAP and if a difference in the configuration file is detected by the IAP the new configuration is ap...

Page 28: ... mode profile password password NOTE If the automatic mode is enabled the user credentials are automatically generated based on IAP MAC address 3 Specify the configuration file Instant AP managed mode profile config filename file_name Filename Indicates filename in the alphanumeric format Ensure that configuration file name does not exceed 40 characters 4 Specify the configuration file download me...

Page 29: ...naged mode profile end Instant AP commit apply Table 9 Managed Mode Commands If you want to apply the configuration immediately and do not want to wait until next configuration retrieval attempt execute the following command Instant AP managed mode sync server Example To configure managed mode profile Instant AP config managed mode profile Instant AP managed mode profile username username Instant ...

Page 30: ...0 Automatic Retrieval of Configuration Aruba Instant 6 5 0 0 4 3 0 0 User Guide If the configuration settings retrieved in the configuration file are incomplete IAPs reboot with the earlier configuration ...

Page 31: ...rength VPN and AirWave configuration details before logging in to the Instant UI The following figure shows the information displayed in the connectivity summary Figure 3 Connectivity Summary Language The Language drop down list contains the available languages and allows users to select their preferred language before logging in to the Instant UI A default language is selected based on the langua...

Page 32: ...anner l Search Text Box l Tabs l Links l Views Banner The banner is a horizontal gray rectangle that appears on the Instant main window It displays the company name logo and the VC s name Search Text Box Administrators can search for an IAP client or a network in the Search text box When you type a search text the search function suggests matching keywords and allows you to automatically complete ...

Page 33: ...ork is displayed on the Access Points tab The IAP names are displayed as links If the Auto Join Mode feature is disabled the New link is displayed Click this link to add a new IAP to the network If an IAP is configured and not active its MAC Address is displayed in red The expanded view of the Access Points tab displays the following information about each IAP l Name Name of the IAP If the IAP fun...

Page 34: ...ich the client is connected l Access Point IAP to which the client is connected l Channel The client operating channel l Type Type of the Wi Fi client l Role Role assigned to the client l Signal Current signal strength of the client as detected by the IAP l Speed mbps Current speed at which data is transmitted When the client is associated with an IAP it constantly negotiates the speed of data tra...

Page 35: ...l Monitoring Allows you to view or configure the following details n Syslog Allows you to view or configure Syslog server details for sending syslog messages to the external servers See Configuring a Syslog Server on page 364 for more information n TFTP Dump Allows you to view or configure a Trivial File Tranfer Protocol TFTP dump server for core dump files See Configuring TFTP Dump Server on page...

Page 36: ...nt access to a selected list of websites For more information see Configuring Walled Garden Access on page 141 l External Captive Portal Use this tab to configure external captive portal profiles For more information see Configuring External Captive Portal for a Guest Network on page 129 l Custom Blocked Page URL Use this tab to create a list of URLs that can be blocked using an ACL rule For more ...

Page 37: ...ort VPN The VPN window allows you to define communication settings with an Aruba controller or a third party VPN concentrator See VPN Configuration on page 228 for more information The following figure shows an example of the IPsec configuration options available in the VPN window Figure 5 VPN Window for IPsec Configuration IDS The IDS window allows you to configure wireless intrusion detection an...

Page 38: ...nstant 6 5 0 0 4 3 0 0 User Guide Figure 6 IDS Window Intrusion Detection Figure 7 IDS Window Intrusion Protection For more information on wireless intrusion detection and protection see Detecting and Classifying Rogue IAPs on page 327 ...

Page 39: ...tegration see Configuring an IAP for Analytics and Location Engine Support on page 292 l OpenDNS Allows you to configure support for OpenDNS business solutions which require an OpenDNS www opendns com account The OpenDNS credentials are used by Instant and AirWave to filter content at the enterprise level For more information see Configuring OpenDNS Credentials on page 294 l CALEA Allows you confi...

Page 40: ...us DHCP modes The following figure shows the options available in the DHCP Servers window Figure 10 DHCP Servers Window For more information see DHCP Configuration on page 211 Support The Support link consists of the following details l Command Allows you to select a support command for execution l Target Displays a list of IAPs in the network l Run Allows you to execute the selected command for a...

Page 41: ... text or term displayed in green italics to view its description or definition 3 To disable the help mode click Done Logout The Logout link allows you to log out of the Instant UI Monitoring The Monitoring link displays the Monitoring pane for the Instant network Use the down arrow located to the right side of these links to compress or expand the Monitoring pane The Monitoring pane consists of th...

Page 42: ...ers Displays the number of internal guest users l Internal User Open Slots Displays the available slots for user configuration as supported by the IAP model Info section in the Network view The Info section in the Network view displays the following information l Name Displays the name of the network l Status Displays the status of the network l Type Displays the type of network for example Employ...

Page 43: ...to which the client is connected l Access Point Indicates the IAP to which the client is connected l Channel Indicates the channel that is currently used by the client l Type Displays the channel type on which the client is broadcasting l Role Displays the role assigned to the client Table 10 Contents of the Info Section in the Instant Main Window RF Dashboard The RF Dashboard section lists the IA...

Page 44: ...Speed icon changes in the following order l Green Data transfer speed is more than 50 of the maximum speed supported by the client l Orange Data transfer speed is between 25 and 50 of the maximum speed supported by the client l Red Data transfer speed is less than 25 of the maximum speed supported by the client To view the data transfer speed graph of a client click the speed icon corresponding to...

Page 45: ...ing on the errors color of the lines on the Errors icon changes in the following order l Green Errors are less than 5000 frames per second l Orange Errors are between 5000 and 10 000 frames per second l Red Errors are more than 10000 frames per second To view the errors graph of an IAP click the Errors icon next to the IAP in the Errors column Table 11 RF Dashboard Icons RF Trends The RF Trends se...

Page 46: ...ian line l Retry Out Retries for the outgoing frames are displayed above the median line in black l Retry In Retries for the incoming frames are displayed below the median line in red To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the In Out Retries In and Retries Out frames To see the exact frames at a particular time move the cu...

Page 47: ...lt view 2 In the Clients tab click the IP address of the client for which you want to monitor the throughput 3 Study the Throughput graph in the RF Trends pane For example the graph shows 1 0 Kbps outgoing traffic throughput for the client at 12 30 hours Table 12 Client View RF Trends Graphs and Monitoring Procedures Usage Trends The Usage Trends section displays the following graphs l Clients In ...

Page 48: ...ith the selected network at 12 00 hours Throughput The Throughput graph shows the throughput of the selected network for the last 15 minutes l Outgoing traffic Throughput for the outgoing traffic is displayed in green Outgoing traffic is shown above the median line l Incoming traffic Throughput for the incoming traffic is displayed in blue Incoming traffic is shown below the median line To see an ...

Page 49: ...Points tab click the IAP for which you want to monitor the client association 3 Study the CPU Utilization graph in the Overview pane For example the graph shows that the CPU utilization of the IAP is 30 at 12 09 hours Neighboring Clients The Neighboring Clients graph shows the number of clients not connected to the selected IAP but heard by it l Any client that successfully authenticates with a va...

Page 50: ...IAP for the last 15 minutes l Outgoing traffic Throughput for the outgoing traffic is displayed in green It is shown above the median line l Incoming traffic Throughput for the incoming traffic is displayed in blue It is shown below the median line To see an enlarged view click the graph l The enlarged view provides Last Minimum Maximum and Average statistics for the incoming and outgoing traffic ...

Page 51: ...ent count on each channel are displayed The following figure shows the client view heat map for an IAP radio Figure 16 Channel Availability Map for Clients AppRF The AppRF link displays the application traffic summary for IAPs and client devices The AppRF link in the activity panel is displayed only if AppRF visibility is enabled in the System window For more information on application visibility ...

Page 52: ... to Noise plus Interference Ratio SNIR Spectrum monitors display spectrum analysis data seen on all channels in the selected band and hybrid IAPs display data from the single channel that they are monitoring For more information on spectrum monitoring see Spectrum Monitor on page 340 Alerts Alerts are generated when a user encounters problems while accessing or connecting to a network The alerts t...

Page 53: ...Faults alerts occur in the event of a system fault The Active Faults alerts consists of the following information l Time Displays the system time when an event occurs l Number Indicates the number of sequence l Description Displays the event details Fault History The Fault History alerts display the historic system faults The Fault History alert displays the following information l Time Displays t...

Page 54: ... the Aruba customer support team 100102 Unknown SSID in association request The IAP cannot allow this client to associate because the association request received contains an unknown SSID Identify the client and check its Wi Fi driver and manager software 100103 Mismatched authentication encryption setting The IAP cannot allow this client to associate because its authentication or encryption setti...

Page 55: ...n request from this client because the credentials provided have been rejected by the RADIUS server too many times Identify the client and check its 802 1X credentials 100308 RADIUS server connection failure The IAP cannot authenticate this client using 802 1X because the RADIUS server did not respond to the authentication request If the IAP is using the internal RADIUS server it is recommend to c...

Page 56: ...e following information is displayed for each foreign IAP n MAC address Displays the MAC address of the foreign IAP n Network Displays the name of the network to which the foreign IAP is connected n Classification Displays the classification of the foreign IAP for example Interfering IAP or Rogue IAP n Channel Displays the channel in which the foreign IAP is operating n Type Displays the Wi Fi typ...

Page 57: ...f the AirGroup servers l Wired Wireless Displays if the AirGroup server is connected through a wired or wireless interface l Role Displays the user role if the server is connected through 802 1X authentication If the server is connected through Phase Shift Keying PSK or open authentication this parameter is blank l Group Displays the group l CPPM By clicking this you get details of the registered ...

Page 58: ...is paused the Pause link changes to Resume Click the Resume link to resume automatic refreshing Automatic refreshing allows you to get the latest information about the network and network elements You can use the Pause link when you want to analyze or monitor the network or a network element and therefore do not want the UI to refresh Views Depending on the link or tab that is clicked Instant disp...

Page 59: ...AP that you want to monitor l Client view The Client view provides information that is necessary to monitor a selected client In the Client view all the clients in the Instant network are listed in the Clients tab Click the IP address of the client that you want to monitor For more information on the graphs and the views see Monitoring on page 41 Aruba Instant 6 5 0 0 4 3 0 0 User Guide Instant Us...

Page 60: ...oned on a shadow interface on the IAP that takes the role of a VC When an IAP becomes a VC it sends three Address Resolution Protocol ARP messages with the static IP address and its MAC address to update the network ARP cache Instant AP config virtual controller ip IP address Allow IPv6 Management Select the check box to enable IPv6 configuration Virtual Controller IPv6 This parameter is used to c...

Page 61: ...ress of the bridge interface is used NOTE When dynamic tacacs proxy is enabled on the IAP the TACACS server cannot identify the slave IAP that generates the TACACS traffic as the source IP address is changed To enable dynamic RADIUS proxy Instant AP config dynamic radius proxy To enable TACACS proxy Instant AP config dynamic tacacs proxy MAS Integration Select Enabled Disabled from the MAS integra...

Page 62: ...2 NOTE To facilitate zero touch provisioning using the AMP Central or Activate you must configure the firewall and wired infrastructure to either allow the NTP traffic to pool ntp org or provide alternative NTP servers under DHCP options Timezone Timezone in which the IAP must operate You can also enable daylight saving time DST on IAPs if the time zone you selected supports the daylight saving ti...

Page 63: ...gured for an IAP as part of the per IAP setting Edit Access Point General it takes precedence over the VC DNS IP address defined in the System General window l If the IAPs are not explicitly assigned a DNS IP address the DNS IP address defined in System General takes precedence l If the DNS IP address is not defined for IAPs or VC the DNS address dynamically assigned from the DHCP server is used l...

Page 64: ...LED display LED display status of the IAP To enable or disable LED display for all IAPs in a cluster select Enabled or Disabled respectively NOTE The LEDs are always enabled during the IAP reboot Instant AP config led off Extended SSID Extended SSID is enabled by default in the factory default settings of IAPs This disables mesh in the factory default settings l The RAP 108 109 access points suppo...

Page 65: ... Internet but cannot communicate with each other and the routing traffic between the clients is sent to the upstream device to make the forwarding decision By default the Deny local routing parameter is disabled Instant AP config deny local routing Dynamic CPU Utilization IAPs perform various functions such as wired and wireless client connectivity and traffic flows wireless security network manag...

Page 66: ...instead of plain text Hashed passwords are more secure as they cannot be converted back to plain text format Upgrading to the Instant 6 5 0 0 4 3 0 0 version will not automatically enable hashing of management user passwords as this setting is optional Users can choose if management passwords need to be stored and displayed as hash or if the passwords need to remain in encrypted format This settin...

Page 67: ... config end Instant AP commit apply The following example adds a management user with read only privilege Instant AP config hash mgmt user john password cleartext password01 usertype read only Instant AP config end Instant AP commit apply The following examples removes a management user with read only privilege Instant AP config no hash mgmt user read only Instant AP config end Instant AP commit a...

Page 68: ...ab click the IAP you want to rename 2 Click the edit link 3 Edit the IAP name in Name You can specify a name of up to 32 ASCII characters 4 Click OK In the CLI To change the name Instant AP hostname name Configuring Zone Settings on an IAP All IAPs in a cluster use the same SSID configuration including master and slave IAPs However if you want to assign an SSID to a specific IAP you can configure ...

Page 69: ... Netmask text box c Enter the IP address of the default gateway in the Default gateway text box d Enter the IP address of the DNS server in the DNS server text box e Enter the domain name in the Domain name text box 4 Click OK and reboot the IAP In the CLI To configure a static IP address Instant AP ip address IP address subnet mask NextHop IP DNS IP address domain name Configuring External Antenn...

Page 70: ...ternal connectors by using the Instant UI or the CLI In the Instant UI To configure the antenna gain value 1 Navigate to the Access Points tab select the IAP to configure and then click edit 2 In the Edit Access Point window select External Antenna to configure the antenna gain value This option is available only for access points that support external antennas 3 Enter the antenna gain values in d...

Page 71: ...ptimized dynamically using ARM You can override ARM on the 2 4 GHz and 5 GHz bands and set the channel and power manually if desired The following table describes various configuration modes for an IAP Mode Description Access In Access mode the IAP serves clients while also monitoring for rogue IAPs in the background If the Access mode is selected perform the following actions 1 Select Administrat...

Page 72: ...d_profile You can also set the maximum clients when configuring SSID profiles using the Max Clients Threshold parameter in the Instant UI and max clients threshold parameter in the Instant CLI For more information see Configuring WLAN Settings for an SSID Profile on page 82 If the maximum clients setting is configured multiple times using either the configuration mode or Privileged EXEC mode the l...

Page 73: ...link 3 Click the Uplink tab 4 Set the port status by selecting any of the following options l Disabled To disable the port status l Enabled To re enable the port status 5 Click OK 6 Reboot the IAP In the CLI To disable the USB port Instant AP usb port disable To re enable the USB port Instant AP no usb port disable To view the USB port status Instant AP show ap env Antenna Type External usb port d...

Page 74: ... VC and is up for more than 5 minutes the VC will not be replaced until it goes down IAP 135 is preferred over IAP 105 when a VC is elected Preference to an IAP with Non Default IP The Master Election Protocol prefers an IAP with non default IP when electing a VC for the Instant network during initial startup If there are more than one IAPs with non default IPs in the network all IAPs with default...

Page 75: ... see Assigning an IP address to the IAP on page 18 After an IAP is connected to the network if the Auto Join feature is enabled the IAP inherits the configuration from the VC and is listed in the Access Points tab If the auto join mode is disabled perform the following steps by using the Instant UI In the Instant UI To add an IAP to the network 1 On the Access Points tab click the New link 2 In th...

Page 76: ...e x icon is displayed beside the IAP 2 Click x to confirm the deletion The deleted IAPs cannot join the Instant network anymore and are not displayed in the Instant UI However the master IAP details cannot be deleted from the VC database Aruba Instant 6 5 0 0 4 3 0 0 User Guide Customizing IAP Settings 76 ...

Page 77: ...ame VLAN for multiple clients can lead to a high level of broadcasts in the same subnet To manage the broadcast traffic you can partition the network into different subnets and use L3 mobility between those subnets when clients roam However if a large number of clients need to be in the same subnet you can configure VLAN pooling in which each client is randomly assigned a VLAN from a pool of VLANs...

Page 78: ...2f0 0000 0000 0000 0001 l Valid format 2001 db8 a0b 12f0 0 0 1 l Invalid format 2001 db8 a0b 12f0 0 1 The sign appears only once in an address l With leading zeros omitted 2001 db8 a0b 12f0 0 0 0 1 l Switching from upper to lower case 2001 DB8 A0B 12f0 0 0 0 1 IPv6 uses a notation which describes the number of bits in netmask as in IPv4 2001 db8 1 128 Single Host 2001 db8 64 Network IPv6 configura...

Page 79: ...Pv6 address for an IAP Instant AP config virtual controller ipv6 ipv6 address Instant AP config end Instant AP commit apply The VC IPv6 address can be configured only after enabling the v4 prefer mode in the Instant CLI RADIUS over IPv6 With the address mode set to v4 prefer the IAP supports an IPv6 IP address for the RADIUS server The authentication server configuration can also include the NAS I...

Page 80: ...6 547 6 destined to network 2002 64 DHCPv6 is denied any 2001 10 128 6 0 65535 20 21 6 destined to host 2001 10 FTP is denied For all ACLs the IAP will have an implicit IPv4 and IPv6 allow all acl rule Debugging Commands Use the following commands to troubleshoot issues pertaining to IPv6 configuration l show ipv6 interface brief and show ipv6 interface details displays the configured IPv6 address...

Page 81: ...network This network type is used by the employees in an organization and it supports passphrase based or 802 1X based authentication methods Employees can access the protected data of an enterprise through the employee network after successful authentication The employee network is selected by default during a network profile configuration l Voice network This Voice network type allows you to con...

Page 82: ...yed The following figure shows the contents of the WLAN Settings tab Figure 26 WLAN Settings Tab 2 Enter a name that uniquely identifies a wireless network in the Name SSID text box The SSID name must be unique and may contain any special character except for and 3 Based on the type of network profile select any of the following options under Primary usage l Employee l Voice l Guest 4 Click the Sh...

Page 83: ...d to allow the IAP to convert multicast streams into unicast streams over the wireless link Enabling Dynamic Multicast Optimization DMO enhances the quality and reliability of streaming video while preserving the bandwidth available to the non video clients NOTE When you enable DMO on multicast SSID profiles ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN DMO channe...

Page 84: ...s on an IAP on page 68 Time Range Click Edit select a Time Range Profile from the list and specify if the profile must be enabled or disabled for the SSID and then click OK Bandwidth Limits Select the required options under Bandwidth Limits l Airtime Select this check box to specify an aggregate amount of airtime that all clients in this network can use for sending and receiving data Specify the a...

Page 85: ...you do not want the SSID network name to be visible to users Select the Disable check box if you want to disable the SSID On selecting this the SSID will be disabled but will not be removed from the network By default all SSIDs are enabled Out of service OOS Enable or disable the SSID based on the following OOS states of the IAP l VPN down l Uplink down l Internet down l Primary uplink down The ne...

Page 86: ...SSID Profile name broadcast filter All ARP Unicast ARP Only Disabled Instant AP SSID Profile name dtim period number of beacons Instant AP SSID Profile name multicast rate optimization Instant AP SSID Profile name dynamic multicast optimization Instant AP SSID Profile name dmo channel utilization threshold Instant AP SSID Profile name a max tx rate rate Instant AP SSID Profile name a min tx rate r...

Page 87: ...ximum of eight retries when clients are not responding to 802 11 packets The following example shows the configuration of temporal diversity and max retries in a WLAN SSID profile Instant AP config wlan ssid profile Name Instant AP SSID Profile Name temporal diversity Instant AP SSID Profile Name max retries 3 Instant AP SSID Profile Name end Instant AP commit apply Configuring VLAN Settings for a...

Page 88: ...assignment l Virtual Controller assigned On selecting this option the client obtains the IP address from the VC l Network assigned On selecting this option the IP address is obtained from the network 3 Based on the type of client IP assignment mode selected you can configure the VLAN assignment for clients as described in the following table ...

Page 89: ... need to specify any one of the following a single VLAN a comma separated list of VLANS or a range of VLANs for all clients on this network Select this option for configuring VLAN pooling l Dynamic On selecting this option you can assign the VLANs dynamically from a Dynamic Host Configuration Protocol DHCP server To create VLAN assignment rules click New to assign the user to a VLAN In the New VLA...

Page 90: ...on see Captive Portal for Guest Access If you are creating a new SSID profile configure the WLAN and VLAN settings before defining security settings For more information see Configuring WLAN Settings for an SSID Profile on page 82 and Configuring VLAN Settings for a WLAN SSID Profile on page 87 Configuring Security Settings for an Employee or Voice Network You can configure security settings for a...

Page 91: ...Figure 28 Security Tab Enterprise Figure 29 Security Tab Personal Aruba Instant 6 5 0 0 4 3 0 0 User Guide Wireless Network Profiles 91 ...

Page 92: ...92 Wireless Network Profiles Aruba Instant 6 5 0 0 4 3 0 0 User Guide Figure 30 Security Tab Open 2 Based on the security level selected specify the following parameters ...

Page 93: ... configure the passphrase 1 Select a passphrase format from the Passphrase format drop down list The options available are 8 63 alphanumeric characters and 64 hexadecimal characters 2 Enter a passphrase in the Passphrase text box and reconfirm NOTE The Passphrase may contain any special character except for For Static WEP specify the following parameters 1 Select an appropriate value for WEP key s...

Page 94: ...onfigure another authentication server Enterprise Personal and Open security levels Load balancing Set this to Enabled if you are using two RADIUS authentication servers so that the load across the two RADIUS servers is balanced For more information on the dynamic load balancing mechanism see Dynamic Load Balancing between Two Authentication Servers on page 156 Enterprise Personal and Open securit...

Page 95: ...ivability to Enabled Specify a value in hours for Cache timeout global to set the duration after which the authenticated credentials in the cache must expire When the cache expires the clients are required to authenticate again You can specify a value within a range of 1 99 hours and the default value is 24 hours NOTE The authentication survivability feature requires ClearPass Policy Manager 6 0 2...

Page 96: ...the delimiter in the MAC authentication request For example if you specify colon as the delimiter MAC addresses in the xx xx xx xx xx xx format are used If the delimiter is not specified the MAC address in the xxxxxxxxxxxx format is used NOTE This option is available only when MAC authentication is enabled Enterprise Personal and Open security levels Uppercase support Set to Enabled to allow the I...

Page 97: ...sed BSS transition 802 11v standard defines mechanisms for wireless network management enhancements and BSS transition management It allows client devices to exchange information about the network topology and RF environment The BSS transition management mechanism enables an IAP to request a voice client to transition to a specific IAP or suggest a set of preferred IAPs to a voice client due to ne...

Page 98: ...rim accounting interval minutes Instant AP SSID Profile name radius reauth interval minutes Instant AP SSID Profile name end Instant AP commit apply To configure open security settings for Employee and Voice users of a WLAN SSID profile Instant AP config wlan ssid profile name Instant AP SSID Profile name opmode opensystem Instant AP SSID Profile name mac authentication Instant AP SSID Profile nam...

Page 99: ...ormation see Configuring Captive Portal Roles for an SSID on page 138 n Create a role assignment rule For more information see Configuring Derivation Rules on page 201 2 Click Finish In the CLI To configure access control rules for a WLAN SSID Instant AP config wlan access rule name Instant AP Access Rule name rule dest mask match protocol start port end port permit deny src nat vlan vlan_id tunne...

Page 100: ... webreputation well known sites permit Instant AP Access Rule WirelessRule rule any any match webreputation safe sites permit Instant AP Access Rule WirelessRule rule any any match webreputation benign sites permit Instant AP Access Rule WirelessRule rule any any match webreputation suspicious sites deny Instant AP Access Rule WirelessRule rule any any match webreputation high risk sites deny Inst...

Page 101: ...oams to a new IAP This allows faster roaming of clients between the IAPs in a cluster without requiring a complete 802 1X authentication OKC roaming when configured in the 802 1X Authentication profile is supported on WPA 2 clients If the wireless client the 802 1X supplicant does not support this feature a complete 802 1X authentication is required whenever a client roams to a new IAP Configuring...

Page 102: ...ntation clients pre authenticate with multiple IAPs in a cluster As part of the 802 11r implementation Instant supports the Fast BSS Transition protocol The Fast BSS Transition mechanism reduces client roaming delay when a client transitions from one BSS to another within the same cluster This minimizes the time required to resume data connectivity when a BSS transition happens Fast BSS Transition...

Page 103: ...tains transmit power and link margin information l Quiet IE The Quiet IE defines an interval during which no transmission occurs in the current channel This interval may be used to assist in making channel measurements without interference from other stations in the BSS l Extended Capabilities IE The extended capabilities IE carries information about the capabilities of an IEEE 802 11 station Beac...

Page 104: ...Client Match Configuring a WLAN SSID for 802 11v Support You can enable 802 11v support on a WLAN SSID by using the Instant UI or the CLI In the Instant UI 1 Navigate to the WLAN wizard Go to Network New OR Go to Network WLAN SSID and click edit 2 Click the Security tab 3 Under Fast Roaming select the 802 11v check box 4 Click Next and then click Finish In the CLI To enable 802 11v profile Instant...

Page 105: ... directional Radio Frequency RF links and up to four simultaneous full rate Wi Fi connections For example smart phone tablet laptop multimedia player or other client device The MU MIMO feature is enabled by default on WLAN SSIDs to allow IAPs to use the MU beamformer bit in beacon frames to broadcast to clients When disabled the MU beamformer bit is set to unsupported Enabling or Disabling MU MIMO...

Page 106: ... protection MFP capable clients and non MFP clients The MFP configuration is a per SSID configuration Disabling Short Preamble for Wireless Client To improve the network performance and communication between the IAP and its clients you can enable or disable the transmission and reception of short preamble frames If the short preamble is optional for the wireless devices connecting to an SSID you c...

Page 107: ...e 1 On the Network tab select the network that you want to edit The edit link is displayed 2 Click the edit link The Edit network window is displayed 3 Modify the settings as required Click Next to move to the next tab 4 Click Finish to save the changes Deleting a WLAN SSID Profile To delete a WLAN SSID profile 1 On the Network tab click the network that you want to delete A x link is displayed be...

Page 108: ...ee Captive Portal for Guest Access Configuring Wired Settings You can configure wired settings for a wired profile by using the Instant UI or the CLI In the Instant UI 1 Click the Wired link under More on the Instant main window The Wired window is displayed 2 Click New under Wired Networks The New Wired Network window is displayed 3 Click the Wired Settings tab and configure the following paramet...

Page 109: ...ng Instant AP wired ap profile name spanning tree Instant AP wired ap profile name end Instant AP commit apply Configuring VLAN for a Wired Profile If you are creating a new wired profile complete the Wired Settings procedure before configuring the VLAN settings For more information see Configuring Wired Settings on page 108 You can configure VLAN using the Instant UI or the CLI In the Instant UI ...

Page 110: ... name end Instant AP commit apply Configuring Security Settings for a Wired Profile If you are creating a new wired profile complete the Wired Settings and VLAN procedures before specifying the security settings For more information see Configuring Wired Settings on page 108 and Configuring VLAN Settings for a WLAN SSID Profile on page 87 Configuring Security Settings for a Wired Employee Network ...

Page 111: ...o RADIUS servers is balanced For more information on the dynamic load balancing mechanism see Dynamic Load Balancing between Two Authentication Servers on page 156 2 Click Next The Access tab details are displayed In the CLI To configure security settings for an employee network Instant AP config wired port profile name Instant AP wired ap profile name mac authentication Instant AP wired ap profil...

Page 112: ...re information on role assignment rules and VLAN derivation rules see Configuring Derivation Rules on page 201 and Configuring VLAN Derivation Rules on page 206 l Select the Assign pre authentication role check box to add a pre authentication role that allows some access to the users before client authentication l Select the Enforce Machine Authentication check box to configure access rights to cl...

Page 113: ...re that the wired bridging on the port is enabled For more information see Configuring Wired Bridging on Ethernet 0 for Mesh Point on page 335 b Select and assign a profile from the 0 0 drop down list c To assign a wired profile to Ethernet 0 1 port select the profile from the 0 1 drop down list d If the IAP supports E2 E3 and E4 ports assign profiles to other Ethernet ports by selecting a profile...

Page 114: ...al interface port channel Port channels can be used to provide additional bandwidth or link redundancy between two devices IAP supports link aggregation using either standard port channel configuration based or Link Aggregation Control Protocol protocol signaling based You can deploy IAP 22x Series or IAP 27x Series access points with LACP configuration to benefit from the higher greater than 1 Gb...

Page 115: ...le the static LACP mode on IAPs Instant AP lacp mode enable To disable the static LACP mode on IAPs Instant AP lacp mode disable Verifying Static LACP Mode To verify the static LACP configuration execute the following command in the IAP CLI Instant AP show ap env Antenna Type Internal name TechPubsAP per_ap_ssid 1234 per_ap_vlan abc lacp_mode enable Understanding Hierarchical Deployment An IAP wit...

Page 116: ...ion for connecting to slave IAPs Ensure that the downlink port configured in a private VLAN is not used for any wired client connection Other downlink ports can be used for connecting to the wired clients The following figure illustrates a hierarchical deployment scenario Figure 31 Hierarchical Deployment Aruba Instant 6 5 0 0 4 3 0 0 User Guide Wired Profiles 116 ...

Page 117: ...n internal or external server l The RADIUS authentication or user authentication against IAP s internal database l The SSID broadcast by the IAP Using Instant the administrators can create a wired or WLAN guest network based on captive portal authentication for guests visitors contractors and any non employee users who can use the enterprise Wi Fi network The administrators can also create guest a...

Page 118: ...nly the allowed websites typically hotel property websites The administrators can allow or block access to specific URLs by creating a whitelist and blacklist When the users attempt to navigate to other websites which are not in the whitelist of the walled garden profile the users are redirected to the login page If the requested URL is on the blacklist it is blocked If it appears on neither list ...

Page 119: ...to allow IAP to convert multicast streams into unicast streams over the wireless link Enabling Dynamic Multicast Optimization DMO enhances the quality and reliability of streaming video while preserving the bandwidth available to the non video clients NOTE When you enable DMO on multicast SSID profiles ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN DMO channel util...

Page 120: ...ply to the zone configuration l An IAP can belong to only one zone and only one zone can be configured on an SSID l If an SSID belongs to a zone all IAPs in this zone can broadcast this SSID If no IAP belongs to the zone configured on the SSID the SSID is not broadcast l If an SSID does not belong to any zone all IAPs can broadcast this SSID Time Range Click Edit select a Time Range Profile from t...

Page 121: ...nds or up to 24 hours for a client session The default value is 1000 seconds Deauth Inactive Clients Select Enabled to allow the IAP to send a deauthentication frame to the inactive client and clear client entry SSID Select the Hide check box if you do not want the SSID network name to be visible to users Select the Disable check box if you want to disable the SSID On selecting this the SSID will ...

Page 122: ...d the bridging traffic between the clients is sent to the upstream device to make the forwarding decision ESSID Enter the ESSID If the value defined for ESSID value is not the same as profile name the SSIDs can be searched based on the ESSID value and not by its profile name Table 24 WLAN Configuration Parameters 6 Click Next to configure VLAN settings The VLAN tab contents are displayed 7 Select ...

Page 123: ...f VLANs for all clients on this network Select this option for configuring VLAN pooling l Dynamic On selecting this option you can assign the VLANs dynamically from a Dynamic Host Configuration Protocol DHCP server To create VLAN assignment rules click New to assign the user to a VLAN In the New VLAN Assignment Rule window enter the following information l Attribute Select an attribute returned by...

Page 124: ...ile for Guest Access You can configure wired settings for a wired profile by using the Instant UI or the CLI In the Instant UI 1 Click the Wired link under More on the Instant main window The Wired window is displayed 2 Click New under Wired Networks The New Wired Network window is displayed 3 Click the Wired Settings tab and enter the following information a Name Specify a name for the profile b ...

Page 125: ...ue within the range of 1 4093 d If the Access mode is selected l If the Client IP Assignment is set to Virtual Controller Assigned proceed to step 2 l If the Client IP Assignment is set to Network Assigned specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode 6 Click Next to configure internal or external captive portal authentication roles and access rules fo...

Page 126: ...ser database l Internal Acknowledged When Internal Acknowledged is enabled the guest users are required to accept the terms and conditions to access the Internet MAC authentication Select Enabled from the Mac Authentication drop down list to enable MAC authentication Delimiter character Specify a character for example colon or dash as a delimiter for the MAC address string When configured the IAP ...

Page 127: ...number of authentication failures Accounting mode Applicable for WLAN SSIDs only Select an accounting mode from the Accounting mode drop down list for posting accounting information at the specified accounting interval When the accounting mode is set to Authentication the accounting starts only after client authentication is successful and stops when the client logs out of the network If the accou...

Page 128: ...y text box and click OK Ensure that the policy text does not exceed 255 characters l To upload a custom logo click Upload your own custom logo Image browse the image file and click upload image Ensure that the image file size does not exceed 16 KB l To redirect users to another URL specify a URL in Redirect URL l Click Preview to preview the captive portal page NOTE You can customize the captive p...

Page 129: ...aptive Portal Authentication on page 131 l External Captive Portal Redirect Parameters External Captive Portal Profiles You can now configure external captive portal profiles and associate these profiles to a user role or SSID You can create a set of captive portal profiles in the External Captive Portal window accessed from the Security tab and associate these profiles with an SSID or a wired pro...

Page 130: ...listing Select Enabled to enable the automatic whitelisting of URLs On selecting the check box for the external captive portal authentication the URLs that are allowed for the unauthenticated users to access are automatically whitelisted The automatic URL whitelisting is disabled by default Auth Text Available only if Authentication Text is selected If the External Authentication splash page is se...

Page 131: ...tication for a wired profile Go to More Wired In the Wired window click New under Wired Networks to create a new network or click Edit to select an existing profile 2 On the Security tab select External from the Splash page type drop down list 3 From the Captive Portal Profile drop down list select a profile You can select and modify a default profile or an already existing profile or click New an...

Page 132: ...n list for posting accounting information at the specified Accounting interval When the accounting mode is set to Authentication the accounting starts only after client authentication is successful and stops when the client logs out of the network If the accounting mode is set to Association the accounting starts when the client associates to the network successfully and stops when the client is d...

Page 133: ...s for guest users of the wired profile Instant AP config wired port profile name Instant AP wired ap profile name type Guest Instant AP wired ap profile name captive portal type exclude uplink types external exclude uplink types profile name exclude uplink types Instant AP wired ap profile name mac authentication Instant AP wired ap profile name end Instant AP commit apply External Captive Portal ...

Page 134: ...ternal captive portal authentication with ClearPass Policy Manager You can also configure the RADIUS server when configuring a new SSID profile 2 On the Security tab select External from the Splash page type drop down list 3 Select New from the Captive portal profile drop down list and update the following a Enter the IP address of the ClearPass Guest server in the IP or hostname text box Obtain t...

Page 135: ...cedures l Setting up a Facebook Page l Configuring an SSID l Configuring the Facebook Portal Page l Accessing the Portal Page Setting up a Facebook Page To enable integration with the IAP ensure that you have a Facebook page created as a local business with a valid location l For more information on creating a Facebook page see the online help available at https www facebook com help l For more in...

Page 136: ...icking the Skip Check in link l Require Wi Fi code When selected the users are assigned a Wi Fi code to gain access to the Facebook page 5 Customize the session length and terms of service if required 6 Click Save Settings Accessing the Portal Page To access the portal page 1 Connect to the SSID with the Facebook option enabled 2 Launch a web browser The browser opens the Facebook Wi Fi page If th...

Page 137: ...Configuring Derivation Rules on page 201 Instant supports role derivation based on the DHCP option for captive portal authentication When the captive portal authentication is successful a new user role is assigned to the guest users based on DHCP option configured for the SSID profile instead of the pre authenticated role 2 Click Finish In the CLI To configure access control rules for a WLAN SSID ...

Page 138: ... AP Access Rule WirelessRule rule any any match webreputation benign sites permit Instant AP Access Rule WirelessRule rule any any match webreputation suspicious sites deny Instant AP Access Rule WirelessRule rule any any match webreputation high risk sites deny Instant AP Access Rule WirelessRule end Instant AP commit apply Configuring Captive Portal Roles for an SSID You can configure an access ...

Page 139: ...llowing attributes l Select Internal to configure a rule for internal captive portal authentication l Select External to configure a rule for external captive portal authentication Internal If Internal is selected as splash page type perform the following steps l Under Splash Page Visuals use the editor to specify display text and colors for the initial page that would be displayed to users connec...

Page 140: ...authentication l IP or hostname Enter the IP address or the host name of the external splash page server l URL Enter the URL for the external splash page server l Port Enter the port number l Redirect URL Specify a redirect URL if you want to redirect the users to another URL l Captive Portal failure The Captive Portal failure drop down list allows you to configure Internet access for the guest cl...

Page 141: ...red to explicitly block the unauthenticated users from accessing some websites You can create a walled garden access in Instant UI or the CLI In the Instant UI To create a walled garden access 1 Click the Security link at the top of the Instant main window The Security window is displayed 2 Click Walled Garden The Walled Garden tab contents are displayed 3 To allow the users to access a specific d...

Page 142: ...ile or Edit Wired Network window is displayed You can also customize splash page design on the Security tab of New WLAN WLAN wizard and New Wired Network wired profile window when configuring a new profile 2 Navigate to the Security tab 3 Select None from the Splash page type drop down list Although the splash page is disabled you can enable MAC authentication configure authentication servers set ...

Page 143: ... profiles and DHCP server configuration parameters and manages the local user database The admin users can access the VC Management UI l Guest administrator A guest interface management user who manages guest users added in the local user database l Administrator with read only access The read only admin user does not have access to the Instant CLI The Instant UI will be displayed in the read only...

Page 144: ... employee user is the employee who is using the enterprise network for official tasks You can create Employee WLANs specify the required authentication encryption and access rules and allow the employees to use the enterprise network The user database is also used when an IAP is configured as an internal RADIUS server The local user database of IAPs can support up to 512 user entries In the Instan...

Page 145: ...rd portal Instant AP config end Instant AP commit apply Configuring Authentication Parameters for Management Users You can configure RADIUS or Terminal Access Controller Access Control System TACACS authentication servers to authenticate and authorize the management users of an IAP The authentication servers determine if the user has access to administrative interface The privilege level for diffe...

Page 146: ... l Load balancing If two servers are configured users can use them in the primary or backup mode or load balancing mode To enable load balancing select Enabled from the Load balancing drop down list For more information on load balancing see Dynamic Load Balancing between Two Authentication Servers on page 156 l TACACS accounting If a TACACS server is selected enable TACACS accounting to report ma...

Page 147: ...server1 Instant AP config mgmt auth server server2 Instant AP config mgmt auth server load balancing Instant AP config mgmt auth server local backup To enable TACACS accounting Instant AP config mgmt accounting command all Adding Guest Users through the Guest Management Interface To add guest users through the Guest Management interface 1 Log in to the Instant UI with the guest management interfac...

Page 148: ...sages during the authentication process The authentication protocols that operate inside the 802 1X framework include EAP Transport Layer Security EAP TLS Protected EAP PEAP and EAP Tunneled TLS EAP TTLS These protocols allow the network to authenticate the client while also allowing the client to authenticate the network For more information on EAP authentication framework supported by the IAPs s...

Page 149: ... to enable the l2 authentication fallthrough mode When this option is enabled the 802 1X authentication is allowed even if the MAC authentication fails If this option is disabled 802 1X authentication is not allowed The l2 authentication fallthrough mode is disabled by default For more information on configuring an IAP to use MAC as well as 802 1X authentication see Configuring MAC Authentication ...

Page 150: ...P authentication creates an encrypted SSL TLS tunnel between the client and the authentication server Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure l LEAP Lightweight Extensible Authentication Protocol LEAP uses dynamic WEP keys for authentication between the client and authentication server To use the IAP s internal database for user a...

Page 151: ...Server In the external RADIUS server the IP address of the VC is configured as the NAS IP address Instant RADIUS is implemented on the VC and this eliminates the need to configure multiple NAS clients for every IAP on the RADIUS server for client authentication Instant RADIUS dynamically forwards all the authentication requests from a NAS to a remote RADIUS server The RADIUS server responds to the...

Page 152: ...t Session Time l Acct Status Type l Acct Terminate Cause l Acct Tunnel Packets Lost l Add Port To IP Address l Aruba AP Group l Aruba AP IP Address l Aruba AS Credential Hash l Aruba AS User Name l Aruba Admin Path l Aruba Admin Role l Aruba AirGroup Device Type l Aruba AirGroup Shared Group l Aruba AirGroup Shared Role l Aruba AirGroup Shared User l Aruba AirGroup User Name l Aruba AirGroup Versi...

Page 153: ... Priv Admin User l Aruba Template User l Aruba User Group l Aruba User Role l Aruba User Vlan l Aruba WorkSpace App Name l Authentication Sub Type l Authentication Type l CHAP Challenge l Callback Id l Callback Number l Chargeable User Identity l Class l Connect Info l Connect Rate l Crypt Password l DB Entry State l Digest Response l Domain Name l EAP Message l Error Cause l Event Timestamp l Exe...

Page 154: ...erface Id l Framed MTU l Framed Protocol l Framed Route l Framed Routing l Full Name l Group l Group Name l Hint l Huntgroup Name l Idle Timeout l Location Capable l Location Data l Location Information l Login IP Host l Login IPv6 Host l Login LAT Node l Login LAT Port l Login LAT Service l Login Service l Login TCP Port l Menu l Message Auth l NAS IPv6 Address l NAS Port Type l Operator Name l P...

Page 155: ... fw_mode l dhcp option l dot1x authentication type l mac address l mac address and dhcp options TACACS Servers You can now configure a TACACS server as the authentication server to authenticate and authorize all types of management users and account user sessions When configured the TACACS server allows a remote access server to communicate with an authentication server to determine if the user ha...

Page 156: ...he need to obtain inputs about the server capabilities from the administrators Configuring an External Server for Authentication You can configure RADIUS TACACS LDAP and ClearPass Policy Manager servers through the Instant UI or the CLI In the Instant UI To configure an external authentication server 1 Navigate to Security Authentication Servers The Security window is displayed 2 To create a new s...

Page 157: ...s cause a user session to be terminated immediately whereas the CoA messages modify session authorization attributes such as data filters NAS IP address Allows you to configure an arbitrary IP address to be used as RADIUS attribute 4 NAS IP Address without changing source IP Address in the IP header of the RADIUS packet NOTE If you do not enter the IP address the VC IP address is used by default w...

Page 158: ...ve write privileges but the user must be able to search the database and read attributes of other users in the database Admin password Enter a password for administrator Base DN Enter a distinguished name for the node that contains the entire user database Filter Specify the filter to apply when searching for a user in the LDAP database The default filter string is objectclass Key Attribute Specif...

Page 159: ...eters You can also add TACACS server by selecting the New option when configuring authentication parameters for management users For more information see Configuring Authentication Parameters for Management Users on page 145 l CPPM Server for AirGroup CoA To configure a ClearPass Policy Manager server used for AirGroup CoA Change of Authorization select the CoA only check box The RADIUS server is ...

Page 160: ...erver profile name Instant AP LDAP Server profile name ip IP address Instant AP LDAP Server profile name port port Instant AP LDAP Server profile name admin dn name Instant AP LDAP Server profile name admin password password Instant AP LDAP Server profile name base dn name Instant AP LDAP Server profile name filter filter Instant AP LDAP Server profile name key attribute key Instant AP LDAP Server...

Page 161: ...l using the Instant UI or the CLI In the Instant UI To configure the RadSec protocol in the UI 1 Navigate to Security Authentication Servers The Security window is displayed 2 To create a new server click New A popup window for specifying details for the new server is displayed 3 Under RADIUS Server configure the following parameters a Enter the name of the server b Enter the host name or the IP a...

Page 162: ...AP commit apply To associate an authentication server to a wired profile Instant AP config wired port profile name Instant AP wired ap profile name auth server name Instant AP wired ap profile name end Instant AP commit apply Configuring Dynamic RADIUS Proxy Parameters The RADIUS server can be deployed at different locations and VLANs In most cases a centralized RADIUS or local server is used to a...

Page 163: ... Parameters You can configure DRP parameters for the authentication server by using the Instant UI or the CLI In the Instant UI To configure dynamic RADIUS proxy in the Instant UI 1 Go to Security Authentication Servers 2 To create a new server click New and configure the required RADIUS server parameters as described in Table 33 3 Ensure that the following dynamic RADIUS proxy parameters are conf...

Page 164: ...o a network profile select the newly added server when configuring security settings for a wireless or wired network profile You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile For more information see Configuring Security Settings for a WLAN SSID Profile on page 90 and Configuring Security Settings for a Wired Profile on p...

Page 165: ... Cipher Block Chaining Message Authentication Code AESCCMP Table 37 WPA and WPA 2 Features WPA and WPA 2 can be further classified as follows l Personal Personal is also called Pre Shared Key PSK In this type a unique key is shared with each client in the network Users have to use this key to securely log in to the network The key remains the same until it is changed by authorized personnel You ca...

Page 166: ...r tries to reconnect to the IAP and the remote link fails due to the unavailability of the authentication server the IAP uses the cached credentials in the internal authentication server to authenticate the user However if the client tries to reconnect after the cache expiry the authentication fails 4 When the authentication server is available and if the client tries to reconnect the IAP detects ...

Page 167: ...th survivability cached info To view logs for debugging Instant AP show auth survivability debug log Configuring 802 1X Authentication for a Network Profile This section consists of the following procedures l Configuring 802 1X Authentication for Wireless Network Profiles on page 168 l Configuring 802 1X Authentication for Wired Profiles on page 168 The Instant network supports internal RADIUS ser...

Page 168: ... When Termination is enabled the IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol only relaying the innermost layer to the external RADIUS server 6 Specify the type of authentication server to use and configure other required parameters You can also configure two different authentication servers to function as primary and backup servers when Termin...

Page 169: ... profile name radius reauth interval Minutes Instant AP wired ap profile name end Instant AP commit apply Enabling 802 1X Supplicant Support The 802 1X authentication protocol prevents the unauthorized clients from gaining access to the network through publicly accessible ports If the ports to which the IAPs are connected are configured to use the 802 1X authentication method ensure that you confi...

Page 170: ...als are uploaded to IAP database e Click OK 5 Reboot the IAP In the CLI To set username and password variable used by the PEAP protocol based 802 1X authentication Instant AP ap1x peap user ap1xuser password To set the PEAP 802 1X authentication type Instant AP config ap1x peap validate server Instant AP config end Instant AP commit apply To set TLS 802 1X authentication type Instant AP config ap1...

Page 171: ...add more users f Click OK 6 To allow the IAP to use a delimiter in the MAC authentication request specify a character for example colon or dash as a delimiter for the MAC address string For example if you specify colon as the delimiter MAC addresses in the xx xx xx xx xx xx format are used If the delimiter is not specified the MAC address in the xxxxxxxxxxxx format is used 7 To allow the IAP to us...

Page 172: ...rs window is displayed b Specify the client MAC address as the username and password c Specify the type of the user employee or guest d Click Add e Repeat the steps to add more users f Click OK 7 Configure other parameters as required 8 Click Next to define access rules and then click Finish to apply the changes In the CLI To configure MAC address based authentication with external server Instant ...

Page 173: ...e name l2 auth failthrough Instant AP SSID Profile name auth server server name1 Instant AP SSID Profile name radius reauth interval minutes Instant AP SSID Profile name auth survivability Instant AP SSID Profile name exit Instant AP config auth survivability cache time out hours Instant AP config end Instant AP commit apply Configuring MAC and 802 1X Authentications for Wired Profiles You can con...

Page 174: ...uthentication with captive portal authentication for a network profile using the Instant UI or the CLI In the Instant UI 1 Select an existing wireless or wired profile for which you want to enable MAC with captive portal authentication Depending on the network profile selected the Edit WLAN Profile or the Edit Wired Network window is displayed Toenable MAC authentication with captive portal authen...

Page 175: ... Select the Internal Authenticated or the External RADIUS Server option from the Splash page type drop down list to configure WISPr authentication for a WLAN profile You can configure WISPr authentication using the Instant UI or the CLI In the Instant UI 1 Click the System link located directly above the Search bar in the Instant main window The System window is displayed 2 Click Show advanced opt...

Page 176: ...iate with an IAP in the network If a client is connected to the network when it is blacklisted a deauthentication message is sent to force client disconnection This section describes the following procedures l Blacklisting Clients Manually on page 176 l Blacklisting Users Dynamically on page 177 Blacklisting Clients Manually Manual blacklisting adds the MAC address of a client to the blacklist The...

Page 177: ...listing When the ACL rule is triggered it sends out blacklist information and the client is blacklisted Configuring Blacklist Duration You can set the blacklist duration using the Instant UI or the CLI In the Instant UI To set a blacklist duration 1 Click the Security link located directly above the Search bar in the Instant main window 2 Click the Blacklisting tab 3 Under Dynamic Blacklisting 4 F...

Page 178: ...commit apply To enable blacklisting in the SSID profile Instant AP config wlan ssid profile name Instant AP SSID Profile name blacklisting Instant AP SSID Profile name end Instant AP commit apply To view the blacklisted clients Instant AP show blacklist client config Blacklist Time 60 Auth Failure Blacklist Time 60 Manually Blacklisted Clients MAC Time Dynamically Blacklisted Clients MAC Reason Ti...

Page 179: ...played 4 Browse and select the file to upload 5 Select any of the following types of certificates from the Certificate type drop down list l CA CA certificate to validate the identity of the client l Auth Server The authentication server certificate to verify the identity of the server to the client l Captive portal server Captive portal server certificate to verify the identity of internal captiv...

Page 180: ...erification such as certificate type format version serial number and so on before accepting the certificate and uploading to an IAP network The AMP packages the text of the certificate into an HTTPS message and sends it to the VC After the VC receives this message it draws the certificate content from the message converts it to the right format and saves it on the RADIUS server To load a certific...

Page 181: ...information see Configuring Organization String on page 308 for further information Figure 39 Selecting the Group The Virtual Controller Certificate section displays the certificates CA cert and Server 5 Click Save to apply the changes only to AirWave Click Save and Apply to apply the changes to the IAP 6 To clear the certificate options click Revert Aruba Instant 6 5 0 0 4 3 0 0 User Guide Authen...

Page 182: ...dth available to a set of user roles by defining access rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses You can create access rules to allow or block data packets that match the criteria defined in an access rule You can create rules for either inbound traffic or outbound traffic Inbound rules explicitly allow or blo...

Page 183: ... you can configure access rules for a wired or wireless client through the WLAN wizard or the Wired Profile window a To configure access rules through the Wired Profile window l Navigate to More Wired l Click Edit and then Edit Wired Network l Click Access b To configure access rules through WLAN wizard l Navigate to Network WLAN SSID l Click Edit and then Edit WLAN l Click Access 2 Select the rol...

Page 184: ...the access rules for network services applications and application categories You can allow or deny access to any the following destinations based on your requirements l to all destinations Access is allowed or denied to all destinations l to a particular server Access is allowed or denied to a particular server After selecting this option specify the IP address of the destination server l except ...

Page 185: ...ect the 802 1p priority check box to specify an 802 1p priority Specify a value between 0 and 7 To assign a higher priority specify a higher value Table 39 Access Rule Configuration Parameters 6 Click OK and then click Finish In the CLI To configure access rules Instant AP config wlan access rule access rule name Instant AP Access Rule Name rule dest mask match invert protocol start port end port ...

Page 186: ...e Instant UI To configure a source NAT access rule 1 Navigate to the WLAN wizard or the Wired settings window l To configure access rules for a WLAN SSID in the Network tab click New to create a new network profile or click edit to modify an existing profile l To configure access rules for a wired profile More Wired In the Wired window click New under Wired Networks to create a new network or clic...

Page 187: ...supports configuration of the destination NAT rule which can be used to redirect traffic to the specified IP address and destination port The destination NAT configuration is supported only in the bridge mode without VPN You can configure a destination NAT access rule by using the Instant UI or the CLI In the Instant UI To configure a destination NAT access rule 1 Navigate to the WLAN wizard or th...

Page 188: ...the Search bar on the Instant main window 2 Click the Firewall Settings tab The Firewall Settings tab contents are displayed The following figure shows the contents of the Firewall Settings tab Figure 40 Firewall Settings ALG Protocols 3 Select Enabled from the corresponding drop down lists to enable SIP VOCERA Alcatel NOE and Cisco Skinny protocols 4 Click OK When the protocols for ALG are set to...

Page 189: ...nst security attacks select the following check boxes l Select Drop bad ARP to enable the IAP to drop the fake ARP packets l Select Fix malformed DHCP for the IAP to fix the malformed DHCP packets l Select ARP poison check to enable the IAP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue IAPs Figure 41 Firewall Settings Protection Against Wired...

Page 190: ...redefined ACLs l ACEs must be configured to override the guest VLAN auto expanded ACEs In other words the user defined ACEs take higher precedence over guest VLAN ACEs For more information on inbound firewall settings see Managing Inbound Traffic The priority of a particular ACE is determined based on the order in which it is programmed Ensure that you do not accidentally override the guest VLAN A...

Page 191: ...uration However if a deny rule is defined for the inbound traffic it is applied irrespective of the destination and user role Unlike the ACL rules in a WLAN SSID or a wired profile the inbound firewall rules can be configured based on the source subnet For all subnets a deny rule is created by default as the last rule If at least one rule is configured the deny all rule is applied to the upstream ...

Page 192: ...cify the IP address and netmask of the source network Destination Select a destination option for the access rules for network services applications and application categories You can allow or deny access to any the following destinations based on your requirements l to all destinations Traffic for all destinations is allowed denied or the IP address is translated at the source or the destination ...

Page 193: ...ttings on page 260 DSCP tag Select the DSCP tag check box to specify a DSCP value to prioritize traffic when this rule is triggered Specify a value within the range of 0 63 To assign a higher priority specify a higher value 802 1p priority Select the 802 1p priority check box to specify an 802 1p priority Specify a value between 0 and 7 To assign a higher priority specify a higher value Table 40 I...

Page 194: ...te Network You can configure restricted corporate access to block unauthorized users from accessing the corporate network When restricted corporate access is enabled corporate access is blocked from the uplink port of master IAP including clients connected to a slave IAP You can configure restricted corporate access by using the Instant UI or the CLI In the Instant UI To configure restricted corpo...

Page 195: ... arubanetworks com are always resolved internally on Instant The content filtering configuration applies to all IAPs in the network and the service is enabled or disabled globally across the wireless or wired network profiles Enabling Content Filtering This section describes the following procedures l Enabling Content Filtering for a Wireless Profile on page 195 l Enabling Content Filtering for a ...

Page 196: ...System General and click Show advanced options Enterprise Domains The Enterprise Domain tab contents are displayed 2 Click New and enter a New Domain Name Using asterisk as an enterprise domain causes all DNS traffic to go through the tunnel to the original DNS server of clients If you are configuring routing profile with split tunnel disabled you need to add asterisk to the enterprise domain list...

Page 197: ...n set a higher bandwidth for trusted sites and a low bandwidth rate for high risk sites 7 Click OK to save the rules 8 Click OK in the Roles tab to save the changes to the role for which you defined ACL rules In the CLI To control access based on web categories and security ratings Instant AP config wlan access rule access_rule Instant AP Access Rule access rule rule dest mask match webcategory we...

Page 198: ...w in the Access Rules section 3 In the New Rule window select the rule type as Blocked Page URL 4 Select the URLs from the existing list of custom redirect URLs To add a new URL click New 5 Click OK 6 Click OK in the Roles tab to save the changes In the CLI To configure an ACL rule to redirect blocked HTTP websites to a custom error page URL Instant AP config wlan access rule access_rule_name Inst...

Page 199: ...onfiguration on an IAP involves the following procedures l Creating a User Role on page 199 l Assigning Bandwidth Contracts to User Roles on page 200 l Configuring Machine and User Authentication Roles on page 201 Creating a User Role You can create a user role by using the Instant UI or the CLI In the Instant UI To create a user role 1 Click the Security link located directly above the Search bar...

Page 200: ...he IAP is upgraded to Instant 6 5 0 0 4 3 0 0 release version the bandwidth configuration per SSID will be treated as a per user downstream bandwidth contract for that SSID In the Instant UI 1 Click the Security link located directly above the Search bar in the Instant main window The Security window is displayed 2 Click the Roles tab The Roles tab contents are displayed 3 Create a new role see Cr...

Page 201: ...ired Network or Edit Wired Network under Roles create Machine auth only and User auth only roles 2 Configure access rules for these roles by selecting the role and applying the rule For more information on configuring access rules see Configuring ACL Rules for Network Services on page 182 3 Select Enforce Machine Authentication and select the Machine auth only and User auth only roles 4 Click Fini...

Page 202: ...can be the default user role configured for an authentication method such as 802 1X authentication For each authentication method you can configure a default role for the clients who are successfully authenticated using that method DHCP Option and DHCP Fingerprinting The DHCP fingerprinting allows you to identify the operating system of a device by looking at the options in the DHCP frame Based on...

Page 203: ...ains the string specified in Operand l Is the role The rule is applied if the attribute value is the role l equals The rule is applied only if the attribute value is equal to the string specified in Operand l not equals The rule is applied only if the attribute value is not equal to the string specified in Operand l starts with The rule is applied only if the attribute value starts with the string...

Page 204: ...the user roles that may have a VLAN configured l The user VLANs can be derived from the default roles configured for 802 1X authentication or MAC authentication l After client authentication the VLAN can be derived from Vendor Specific Attributes VSA for RADIUS server authentication l The DHCP based VLANs can be derived for captive portal authentication Instant supports role derivation based on th...

Page 205: ...thentication If the RADIUS server supports return attributes and sets an attribute value to the reply message the IAP can analyze the return message and match attributes with a user pre defined VLAN derivation rule If the rule is matched the VLAN value defined by the rule is assigned to the user For a complete list of RADIUS server attributes see RADIUS Server Authentication with VSA on page 151 F...

Page 206: ... New to create a VLAN assignment rule The New VLAN Assignment Rule window is displayed In this window you can define a match method by which the string in Operand is matched with the attribute values returned by the authentication server Figure 48 VLAN Assignment Rule Window 3 Select the attribute from the Attribute drop down list The list of supported attributes includes RADIUS attributes dhcp op...

Page 207: ...f Instant AP wired ap profile name end Instant AP commit apply Example Instant AP config wlan ssid profile Profile1 Instant AP SSID Profile Profile1 set vlan mac address and dhcp options matches regular expression link 100 Instant AP SSID Profile Profile1 end Instant AP commit apply Using Advanced Expressions in Role and VLAN Derivation Rules For complex policies of role and VLAN derivation using ...

Page 208: ...ut string For example eth matches Eth but not Ethernet Matches the declared element multiple times if it exists For example eth matches all occurrences of eth such as Eth Ethernet Eth0 and so on Matches the declared element one or more times For example aa matches occurrences of aa and aaa Matches nested characters For example 192 matches any number of the character string 192 Matches the characte...

Page 209: ...nstant AP Access Rule rule name vlan 200 Instant AP Access Rule rule name end Instant AP commit apply Assigning User VLAN Roles to a Network Profile You can configure user VLAN roles for a network profile using Instant UI or the CLI In the Instant UI To assign a user VLAN role 1 Click Network New New WLAN Access or click Network edit Edit WLAN profile Access 2 On the Access tab ensure that the sli...

Page 210: ... Instant AP commit apply Aruba Instant 6 5 0 0 4 3 0 0 User Guide Roles and Policies 210 ...

Page 211: ...efault gateway The configured subnet and the corresponding DHCP scope are independent of the subnets configured in other IAP clusters The VC assigns an IP address from a local subnet and forwards traffic to both corporate and non corporate destinations The network address is translated appropriately and the packet is forwarded through the IPsec tunnel or through the uplink This DHCP assignment mod...

Page 212: ...ecify the network to use Netmask If Local Local L2 or Local L3 is selected specify the subnet mask The subnet mask and the network determine the size of the subnet Excluded address Specify a range of IP addresses to exclude You can add up to two exclusion ranges Based on the size of the subnet and the value configured for Excluded address the IP addresses either before or after the defined range a...

Page 213: ...clude address IP address Instant AP DHCP Profile profile name dns server name Instant AP DHCP Profile profile name domain name domain name Instant AP DHCP Profile profile name lease time seconds Instant AP DHCP Profile profile name option type value Instant AP DHCP Profile profile name end Instant AP commit apply Configuring Distributed DHCP Scopes Instant allows you to configure the DHCP address ...

Page 214: ...escription Name Enter a name for the DHCP scope Type Select any of the following options l Distributed L2 On selecting Distributed L2 the VC acts as the DHCP server but the default gateway is in the data center Traffic is bridged into VPN tunnel l Distributed L3 On selecting Distributed L3 the VC acts as both DHCP server and default gateway Traffic is routed into the VPN tunnel VLAN Specify a VLAN...

Page 215: ...cate multiple branch IDs BID per subnet The IAP generates a subnet name from the DHCP IP configuration which the controller can use as a subnet identifier If static subnets are configured in each branch all of them are assigned the with BID 0 which is mapped directly to the configured static subnet Option Specify the type and a value for the DHCP option You can configure the organization specific ...

Page 216: ...SIG KEY Instant AP DHCP Profile profile name ip range start IP end IP Instant AP DHCP Profile profile name reserve first last count Instant AP DHCP Profile profile name option type value Instant AP DHCP Profile profile name end Instant AP commit apply Configuring Centralized DHCP Scopes When a centralized DHCP scope is configured the following points are to be noted l The VC does not assign an IP ...

Page 217: ... corporate domains as configured in Enterprise Domains list and forwards to the IAP s own DNS server When split tunnel is disabled all the traffic including the corporate and Internet traffic is tunneled irrespective of the routing profile specifications If the GRE tunnel is down and when the corporate network is not reachable the client traffic is dropped DHCP relay If you are configuring a Centr...

Page 218: ...nt AP DHCP Profile profile name vlan ip DHCP IP address mask VLAN mask Instant AP DHCP Profile profile name end Instant AP commit apply Configuring the Default DHCP Scope for Client IP Assignment The DHCP server is a built in server used for networks in which clients are assigned IP address by the VC You can customize the DHCP pool subnet and address range to provide simultaneous access to more nu...

Page 219: ...ase time is 0 5 Enter the network range for the client IP addresses in the Network text box The system generates a network range automatically that is sufficient for 254 addresses If you want to provide simultaneous access to more number of clients specify a larger range 6 Specify the subnet mask details for the network range in the Mask text box 7 Click OK to apply the changes In the CLI To confi...

Page 220: ...220 DHCP Configuration Aruba Instant 6 5 0 0 4 3 0 0 User Guide DHCP Netmask 255 255 255 0 DHCP Lease Time m 20 DHCP Domain Name example com DHCP DNS Server 192 0 2 1 ...

Page 221: ...he IAP To verify the time synchronization between the NTP server and the IAP execute the show time range command and check if the time on the NTP server is in synchronization with the local time For more information on NTP server configuration see NTP Server l For a time range profile configured to enable the SSID on the IAP n When the timer starts if the current time is greater than the start tim...

Page 222: ...ime range profile in hh mm format Table 47 Time Range Profile Configuration Parameters 4 Click OK In the CLI To create an absolute time range profile Instant AP config time range name absolute start startday starttime end endday endtime Instant AP config end Instant AP commit apply To configure a periodic time range profile Instant AP config time range name periodic startday daily weekday weekend ...

Page 223: ...o view the time range profiles created on an IAP Instant AP show time range Time Range Summary Profile Name Type Start Day Start Time End Day End Time Valid test Periodic daily 13 00 14 00 No test1 Absolute 11 17 2015 10 00 11 24 2015 17 00 No Lunchbreak Periodic weekday 12 00 13 00 No Lunchbreak1 Periodic daily 12 00 13 00 No To verify if the time range profile is enabled on an SSID Instant AP sh...

Page 224: ...r Guide The following command creates a periodic time range profile that executes during the weekend Instant AP config time range timep4 periodic weekend 10 20 to 10 30 The following command removes the time range configuration Instant AP config no time range testhshs12 ...

Page 225: ...IP address is dynamically handed to the IAP by the ISP there are instances when the client loses remote connectivity to the IAP when there is a change in the IP address Similarly in case of IAP clients where the IAP acts as a DHCP server the host becomes unreachable when the dynamically assigned IP address is changed The dynamic DNS feature eliminates these issues by configuring a domain name thus...

Page 226: ...Click OK In the CLI To enable dynamic DNS on an IAP Instant AP config dynamic dns ap Instant AP config end Instant AP commit apply To configure a TSIG key and server IP address Instant AP config dynamic dns ap key algo name keyname keystring Instant AP config dynamic dns ap server ddns_server Instant AP config end Instant AP commit apply To configure a time interval Instant AP config dynamic dns i...

Page 227: ... 17 132 85 key hmac sha1 arubaddns 16YuLPdH21rQ6PuK9udsVLtJw3Y DDNS Interval 900 To view the list of DDNS clients Instant AP show ddns clients DDNS Client List Host Name Domain Name IP Address DHCP profile name Success Count Failure Count iap1 ddns home test ddns 192 192 192 17 None 16 22 132 13 Auto PC test ddns 192 168 99 18 DistL3 9 3 132 14 Auto PC test ddns 192 168 99 4 DistL3 2 0 Last update...

Page 228: ...works VPN tunnels from the IAP networks at branch locations to datacenters where the Aruba controller acts as a VPN concentrator When a VPN is configured the IAP acting as the VC creates a VPN tunnel to an Aruba Mobility Controller in your corporate office The controller acts as a VPN endpoint and does not supply the IAP with any configuration The VPN features are recommended for the following set...

Page 229: ...ader and does not support failover When manual GRE is configured on the IAP ensure that the GRE tunnel settings are enabled on the controller l Aruba GRE With Aruba GRE no configuration on the controller is required except for adding the IAP MAC addresses to the whitelist database stored on the controller or an external server Aruba GRE reduces manual configuration when Per AP tunnel configuration...

Page 230: ...old time The default value for Hold time is 600 seconds c To allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel and maintain both the primary and backup tunnels separately select Enabled from the Fast failover drop down list When fast failover is enabled and if the primary tunnel fails the IAP can switch the data stream to the backup tunnel This reduces the...

Page 231: ...nstant AP DHCP Profile distL2 subnet mask 255 255 255 0 Instant AP DHCP Profile distL2 lease time 86400 Instant AP DHCP Profile distL2 default router 10 15 205 254 Instant AP DHCP Profile distL2 dns server 10 13 6 110 10 1 1 50 Instant AP DHCP Profile distL2 domain name arubanetworks com Instant AP DHCP Profile distL2 client count 5 Instant AP config ip dhcp local Instant AP DHCP Profile local ser...

Page 232: ...AP When enabled the traffic to the corporate network is sent through a Layer 2 GRE tunnel from the IAP itself and need not be forwarded through the master IAP By default the Per AP tunnel option is disabled Figure 52 Manual GRE Configuration 4 Click Next to continue When the GRE tunnel configuration is completed on both the IAP and the controller the packets sent from and received by an IAP are en...

Page 233: ...ld time When preemption is enabled and the primary host comes up the VPN tunnel switches to the primary host after the specified hold time The default value for Hold time is 600 seconds c To allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel and maintain both the primary and backup tunnels separately select Enabled from the Fast failover drop down list If t...

Page 234: ...nnect user on failover Instant AP config vpn reconnect time on failover down_time Instant AP config end Instant AP commit apply To view VPN configuration details Instant AP show vpn config Configuring an L2TPv3 Tunnel Some important points to note about L2TPv3 in the IAP context are as follows l Instant supports tunnel and session configuration and uses Control Message Authentication RFC 3931 for ...

Page 235: ...hen the primary tunnel goes down it starts the persistence timer which tries to bring up the primary tunnel n Non Preemptive In this mode when the backup tunnel is established after the primary tunnel goes down it does not make the primary tunnel active again L2TPV3 is not supported on IAP 205 devices You can configure an L2TPv3 tunnel and session profiles through the Instant UI or the CLI In the ...

Page 236: ...rval text box The default value is 60 seconds h Select the message digest as MD5 or SHA to be used for message authentication from the Message digest type drop down list i Select Disabled from the Checksum drop down list j Enter a shared key for the message digest in the Shared Key text box This key should match with the tunnel endpoint shared key k If required select the failover mode as Primary ...

Page 237: ...nel Profile l2tpv3_tunnel_profile message digest type digest_algo Instant AP L2TPv3 Tunnel Profile l2tpv3_tunnel_profile secret key key Instant AP L2TPv3 Tunnel Profile l2tpv3_tunnel_profile mtu tunnel_MTU Instant AP L2TPv3 Tunnel Profile l2tpv3_tunnel_profile end Instant AP commit apply To configure an L2TPv3 session profile Instant AP config l2tpv3 session l2tpv3_session_profile Instant AP L2TPv...

Page 238: ... L2TPV3 Session configuration Session Name Tunnel Name Local tunnel IP Tunnel Mask Tunnel Vlan Session Cookie Length Session Cookie Session Remote End ID test_session 1 1 1 1 255 255 255 0 5 0 0 0 To view L2TPv3 global configuration Instant AP show l2tpv3 global parameter L2TPV3 Global configuration Host Name Instant C4 42 98 To view L2TPV3 session status Instant AP show l2tpv3 session status Sess...

Page 239: ... tx txfail rx 0 0 96 retransmits 0 duplicate pkt discards 0 data pkt discards 0 hellos tx txfail rx 94 0 95 control rx packets 193 rx bytes 8506 control tx packets 195 tx bytes 8625 data rx packets 0 rx bytes 0 rx errors 0 data tx packets 6 tx bytes 588 tx errors 0 establish retries 0 To view L2TPv3 tunnel config Instant AP show l2tpv3 tunnel config Tunnel profile test_tunnel_primary l2tp host nam...

Page 240: ...scards 0 mismatched session ids 0 total control frame send failures 0 event queue fulls 0 Message counters Message RX Good RX Bad TX ILLEGAL 0 0 0 SCCRQ 0 0 1 SCCRP 1 0 0 SCCCN 0 0 1 STOPCCN 0 0 0 RESERVED1 0 0 0 HELLO 95 0 95 OCRQ 0 0 0 OCRP 0 0 0 OCCN 0 0 0 ICRQ 0 0 1 ICRP 1 0 0 ICCN 0 0 1 RESERVED2 0 0 0 CDN 0 0 0 WEN 0 0 0 SLI 0 0 0 Configuring Routing Profiles IAPs can terminate a single VPN ...

Page 241: ...th the same destination and netmask but ensure that the gateway is the primary controller IP for one route and the backup controller IP for the second route l Metric The default metric value is 15 Specify a metric value for the datapath route When two routes or more routes with the same network destination are available for data forwarding the route with the least metric value takes preference 4 R...

Page 242: ...oller Only the master IAP in an IAP cluster forms the VPN tunnel From the controller perspective the master IAPs that form the VPN tunnel are considered as VPN clients The controller terminates VPN tunnels and routes or switches the VPN traffic The IAP cluster creates an IPsec or GRE VPN tunnel from the VC to a Mobility Controller in a branch office The controller only acts as an IPsec or GRE VPN ...

Page 243: ... the DHCP scopes as it is reserved for a different purpose Local Mode In this mode the IAP cluster at that branch has a local subnet and the master IAP of the cluster acts as the DHCP server and gateway for clients The local mode provides access to the corporate network using the inner IP of the IPsec tunnel The network address for traffic destined to the corporate network is translated at the sou...

Page 244: ...ode each branch location is assigned a dedicated subnet The master IAP in the branch manages the dedicated subnet and acts as the DHCP server and gateway for clients Client traffic destined to datacenter resources is routed to the controller through the IPsec tunnel which then routes the traffic to the appropriate corporate destinations When an IAP registers with the controller the controller adds...

Page 245: ...Source NAT is performe d with local IP of the VC Locally bridged Routed Source NAT is performed with local IP of the VC Source NAT is performed with local IP of the VC Source NAT is performed with local IP of the VC Source NAT is performed with local IP of the VC Branch access from datacente r No No No Yes Yes Yes Yes Table 51 DHCP Scope and VPN Forwarding Modes Matrix Configuring IAP and Controll...

Page 246: ... tunnel route If the gateway is in the same subnet as uplink IP address it is used as a static gateway entry A static route can be added to all master and slave IAPs for these destinations The VPN traffic from the local subnet of IAP or the VC IP address in the local subnet is not routed to tunnel but will be switched to the relevant VLAN For example when a 0 0 0 0 0 0 0 0 routing profile is defin...

Page 247: ...n the default VLAN For information on how to configure an SSID or wired port profile see Wireless Network Profiles on page 81 and Configuring a Wired Profile on page 108 respectively Enabling Dynamic RADIUS Proxy The RADIUS server can be deployed at different locations and VLANs In most cases a centralized RADIUS or local server is used to authenticate users However some user networks can use a lo...

Page 248: ... intranet pool to allow IAP VPN devices to work independently For sample topology and configuration refer to the ArubaOS 6 5 User Guide To redistribute IAP VPN routes into the OSPF process Instant AP config router ospf redistribute rapng vpn To verify if the redistribution of the IAP VPN is enabled host show ip ospf redistribute To configure aggregate route for IAP VPN routes Instant AP config rou...

Page 249: ... 0 0 0 0 at cost 1 S 0 0 0 0 0 1 0 via 10 15 148 254 V 12 12 2 0 24 10 0 ipsec map V 12 12 12 0 25 10 0 ipsec map V 12 12 12 32 27 10 0 ipsec map V 50 40 40 0 24 10 0 ipsec map V 51 41 41 128 25 10 0 ipsec map V 53 43 43 32 27 10 0 ipsec map V 54 44 44 16 28 10 0 ipsec map C 9 9 9 0 24 is directly connected VLAN9 C 10 15 148 0 24 is directly connected VLAN1 C 43 43 43 0 24 is directly connected VL...

Page 250: ...ool startip endip Role Assignment for the Authenticated IAPs Define a role that includes an Source NAT rule to allow connections to the RADIUS server and for the Dynamic RADIUS Proxy in the IAP to work This role is assigned to IAPs after successful authentication host config ip access list session iaprole host config sess iaprole any host radius server ip any src nat host config sess iaprole any a...

Page 251: ...cb d3 16 DOWN 0 0 0 0 London c0 e1 6c f3 7f c0 e1 b1 UP 10 15 207 120 10 15 206 64 29 2 Instant CB D3 6c f3 7f cc 42 1e DOWN 0 0 0 0 Delhi 6c f3 7f cc 42 ca DOWN 0 0 0 0 Singapore 6c f3 7f cc 42 cb UP 10 15 207 122 10 15 206 120 29 2 Key Bid Subnet Name b3c65c b3c65c b3c65c 2 10 15 205 0 10 15 205 250 5 1 10 15 206 1 10 15 206 252 5 a2a65c 0 b3c65c 7 10 15 205 0 10 15 205 250 5 8 10 15 206 1 10 15...

Page 252: ... it can have multiple BIDs If a branch is in UP state and does not have a Bid Subnet Name it means that the IAP is connected to a controller which did not assign any BID for any subnet In the above example Paris CB D3 16 branch is UP and does not have a Bid Subnet Name This means that either the IAP is connected to a backup controller or it is connected to a primary controller without any Distribu...

Page 253: ...nd power settings for all the IAPs in the network according to changes in the RF environment This feature automates many setup tasks during network installation and the ongoing operations when RF conditions change Voice Aware Scanning The Voice Aware scanning feature prevents an IAP supporting an active voice call from scanning for other channels in the RF spectrum and allows the IAP to resume sca...

Page 254: ...ion Prefer 5 GHz Select this option to use band steering in the 5 GHz mode On selecting this the IAP steers the client to the 5 GHz band if the client is 5 GHz capable but allows the client connection on the 2 4 GHz band if the client persistently attempts for 2 4 GHz association Force 5 GHz Select this option to enforce 5 GHz band steering mode on the IAPs Balance Bands Select this option to allo...

Page 255: ...ferred Access Instant AP ARM end Instant AP commit apply Client Match The ARM client match feature continually monitors a client s RF neighborhood to provide ongoing client band steering and load balancing and enhanced IAP reassignment for roaming mobile clients This feature supersedes the legacy band steering and spectrum load balancing features which unlike client match do not trigger IAP change...

Page 256: ...ure monitor the RSSI for clients that advertise a dual band capability If a client is currently associated to a 2 4 GHz radio and the IAP detects that the client has a good RSSI from the 5 GHz radio the IAP steers the client to the 5 GHz radio as long as the 5 GHz RSSI is not significantly worse than the 2 4 GHz RSSI and the IAP retains a suitable distribution of clients on each of its radios l Ch...

Page 257: ...is 75 CM threshold Specify a value for CM threshold This number takes acceptance client count difference among all the channels of client match into account When the client load on an IAP reaches or exceeds the threshold client match is enabled on that IAP You can specify a value within range of 1 255 The default value is 2 SLB mode Select a mode from the SLB mode drop down list The SLB mode deter...

Page 258: ...e When Enabled ARM does not change channels for the IAPs with active clients except for high priority events such as RADAR or excessive noise This feature must be enabled in most deployments for a stable WLAN If the Client Aware mode is Disabled the IAP may change to a more optimal channel that may disrupt the current client traffic for a while The Client aware option is Enabled by default NOTE Wh...

Page 259: ... 18 Maximum Transmit Power 127 Band Steering Mode prefer 5ghz Client Aware enable Scanning enable Wide Channel Bands 5ghz 80Mhz Support enable Air Time Fairness Mode fair access Client Match disable CM NB Matching Percent 75 CM Calculating Interval 30 CM SLB Threshold 2 CM SLB Balancing Mode channel based CM max client match req 5 CM max adoption 5 Custom Channels No 2 4 GHz Channels Channel Statu...

Page 260: ... are displayed 3 Click the Radio tab 4 Under the channel 2 4 GHz or 5 GHz or both configure the following parameters Parameter Description Legacy only Select Enabled to run the radio in non 802 11n mode This option is set to Disabled by default 802 11d 802 11h Select Enabled to allow the radio to advertise its 802 11d Country Information and 802 11h Transmit Power Control capabilities This option ...

Page 261: ...to recover gracefully from a channel change Background spectrum monitoring Select Enabled to allow the IAPs in access mode to continue with normal access service to clients while performing additional function of monitoring RF interference from both neighboring IAPs and non Wi Fi sources such as microwaves and cordless phones on the channel they are currently serving clients Customize ARM power ra...

Page 262: ...F dot11a Radio Profile end Instant AP commit apply To disable VHT on a 5 GHz radio profile Instant AP config rf dot11a radio profile Instant AP RF dot11a Radio Profile very high throughput disable Instant AP RF dot11a Radio Profile end Instant AP commit apply To view the radio configuration Instant AP show radio config 2 4 GHz Legacy Mode enable Beacon Interval 100 802 11d 802 11h enable Interfere...

Page 263: ...equent scanning and selection of a valid channel for transmission By default the ARM is triggered to scan all the channels every 10 seconds and select the best channel for transmission But when the IAP is in a new environment ARM is triggered to perform frequent scanning of the non DFS channels every 200 milliseconds and select the best available channel for transmission The ap frequent scan comma...

Page 264: ...gories web categories and website URLs based on web reputation You can also define traffic shaping policies such as bandwidth control and QoS per application for client roles For example you can block bandwidth monopolizing applications on a guest role within an enterprise The AppRF feature provides application visibility for analyzing client traffic flow IAPs support the power of both in device p...

Page 265: ...nt graph areas with data graphs on all client traffic and content filters based on App Category Web Category and Web Reputation Click each category to view the real time client traffic data or usage trend in the last 15 minutes or 1 minute The permit and deny monitoring tabs in the All Traffic and Web Content sections provide enforcement visibility support l Permit represents the allowed or permit...

Page 266: ...ations Chart The applications chart displays details on the client traffic towards the applications By clicking the rectangular area you can view the following graphs and toggle between the chart and list views Aruba Instant 6 5 0 0 4 3 0 0 User Guide Deep Packet Inspection and Application Visibility 266 ...

Page 267: ...267 Deep Packet Inspection and Application Visibility Aruba Instant 6 5 0 0 4 3 0 0 User Guide Figure 62 Applications Chart Client View Figure 63 Applications List Client View ...

Page 268: ...ient traffic to the web categories By clicking the rectangle area you can view the following graphs and toggle between the chart and list views Figure 65 Web Categories Chart Client View Figure 66 Web Categories List Client View Aruba Instant 6 5 0 0 4 3 0 0 User Guide Deep Packet Inspection and Application Visibility 268 ...

Page 269: ...t View Web Reputation Charts The web reputation chart displays details about the client traffic to the URLs that are assigned security ratings By clicking in the rectangle area you can view the following graphs and toggle between the chart and list views Figure 68 Web Reputation Chart Client View Figure 69 Web Reputation List Client View ...

Page 270: ...is section describes the procedure for configuring access rules based on application and application categories The Application and Application rules utilize the onboard DPI engine l For information on configuring access rules to control access to network services see Configuring ACL Rules for Network Services on page 182 l For information on configuring access rules based on web categories and we...

Page 271: ...entication l cloud file storage l collaboration l encrypted l enterprise apps l gaming l im file transfer l instant messaging l mail protocols l mobile app store l network service l peer to peer l social networking l standard l streaming l thin client l tunneling l unified communications l web l Webmail Application Throttling Application throttling allows you to set a bandwidth limit for an applic...

Page 272: ...ed server After selecting this option specify the IP address of the destination server l to a network Access is allowed or denied to a network After selecting this option specify the IP address and netmask for the destination network l except to a network Access is allowed or denied to networks other than the specified network After selecting this option specify the IP address and netmask of the d...

Page 273: ...ame Instant AP Access Rule Name rule dest mask match invert app app permit deny appcategory appgrp option1 option9 Instant AP Access Rule Name end Instant AP commit apply Example The following CLI example shows hoe to configure employee access rules Instant AP config wlan access rule employee Instant AP Access Rule employee rule any any match app uoutube permit throttle downstream 256 throttle up ...

Page 274: ...lity that the user will be exposed to malicious links or payloads n Moderate risk These are generally benign sites but may pose a security risk There is some probability that the user will be exposed to malicious links or payloads n Suspicious These are suspicious sites There is a higher than average probability that the user will be exposed to malicious links or payloads n High risk These are hig...

Page 275: ...Instant AP Access Rule access rule rule dest mask match webreputation webrep permit deny option1 option9 Instant AP Access Rule access rule end Instant AP commit apply Example The following CLI example shows how to set access rules based on the web category and the web reputation Instant AP config wlan access rule URLFilter Instant AP Access Rule URLFilter rule any any match webcategory gambling d...

Page 276: ... Fi Multimedia WMM is a Wi Fi Alliance specification based on the IEEE 802 11e wireless Quality of Service QoS standard WMM works with 802 11a 802 11b 802 11g and 802 11n physical layer standards WMM supports the following access categories ACs l Voice l Video l Best effort l Background The following table shows the mapping of the WMM access categories to 802 1p priority values The 802 1p priority...

Page 277: ...fic generated from video streaming l Voice WMM Allocates bandwidth for voice traffic generated from the incoming and outgoing voice communication 4 Click Next and complete the configuration as required In the CLI Configuring WMM for wireless clients Instant AP config wlan ssid profile name Instant AP SSID Profile name wmm background share share Instant AP SSID Profile name wmm best effort share sh...

Page 278: ...r the following access categories in the DSCP mapping text box l Background WMM DSCP mapping for the background traffic l Best effort WMM DSCP mapping for the best effort traffic l Video WMM DSCP mapping for the video traffic l Voice WMM DSCP mapping for the voice traffic 4 Click Next and complete the configuration as required In the CLI Configuring DSCP settings on an SSID Instant AP config wlan ...

Page 279: ...ignaling protocol to establish control and terminate voice and video calls These control or signaling sessions are usually permitted using predefined ACLs If the control signaling packets are encrypted the IAP cannot determine the dynamic ports that are used for voice or video traffic In these cases the IAP has to use an ACL with the classify media option enabled to identify the voice or video flo...

Page 280: ... example_s4b_test rule any any match tcp 5061 5061 permit Instant AP example_s4b_test rule any any match any any any deny Instant AP example_s4b_test end Instant AP commit apply The Type of Service ToS values for calls prioritized using the above mentioned media classification types will always carry a ToS of 40 fora voice session and 48 for a video session Enabling Enhanced Voice Call Tracking Ar...

Page 281: ...h generated the trap wlsxTrapAPName Name of the IAP which generated the trap Table 61 SNMP Trap Details for VoIP Calls SNMP GET In order to find the location of a particular emergency caller the third party SNMP server sends a query to the Master IAP using SNMP GET The Master IAP responds back to the SNMP server with the location IAP Name of the VoIP caller Following are the key parameters in the ...

Page 282: ...e role or user location In large universities and enterprise networks it is common for devices to connect to the network across VLANs As a result user devices on a specific VLAN cannot discover a service that resides on another VLAN As the addresses used by the protocol are link scope multicast addresses each query or advertisement can only be forwarded on its respective VLAN but not across differ...

Page 283: ...campus Wi Fi networks Bonjour can be installed on computers running Microsoft Windows and is supported by the new network capable printers Bonjour is also included with popular software programs such as Apple iTunes Safari and iPhoto Bonjour uses multicast DNS mDNS to locate devices and the services offered by these devices As shown in the following figure the IAP1 discovers AirPrint P1 and IAP3 d...

Page 284: ...covery messages for advertising itself its embedded devices and services On the other hand when a control point joins a network it may multicast a search discovery message for finding interesting devices and services The devices listening on the multicast address respond if they match the search criteria in the search message In a single IAP network the IAP maintains a cache table containing the l...

Page 285: ...s to their closest services such as printers AirGroup also enables context awareness for services across the network l AirGroup is aware of personal and shared devices For example an Apple TV in a dorm room can be associated with the student who owns it or an Apple TV in a meeting room or a printer in a supply room that is available to certain users such as the marketing department l AirGroup is a...

Page 286: ...l AirPrint Apple AirPrint allows you to print from an iPad iPhone or iPod Touch directly to any AirPrint compatible printers l iTunes The iTunes service is used by iTunes Wi Fi sync and iTunes home sharing applications across all Apple devices l RemoteMgmt The RemoteMgmt service allows remote login remote management and FTP utilities on Apple devices l Sharing The Sharing service allows applicatio...

Page 287: ...rPass Guest Services plugin ClearPass Guest 6 2 0 ClearPass Guest 6 3 0 Table 62 Instant ClearPass Policy Manager and ClearPass Guest Requirements Starting from ClearPass Policy Managerversion 6 0 the ClearPass Guest and the AirGroup Services plug in are integrated into a single platform AirGroup maintains seamless connectivity between clients and services across VLANs and SSIDs The following tabl...

Page 288: ...p tab Figure 76 AirGroup Configuration 3 To enable support for Bonjour services select the Enable Bonjour check box and select the AirGroup services related to Bonjour as required 4 To enable DLNA support select the Enable DLNA check box and select the DLNA services 5 To allow the users to use Bonjour services enabled in a guest VLAN select Enable Guest Bonjour multicast When this check box is ena...

Page 289: ... By default an AirGroup service is accessible by all user roles configured in your IAP cluster l To block VLANs from allowing access to an AirGroup service click the corresponding edit link and select the VLANs to exclude By default the AirGroup services are accessible by users or devices in all VLANs configured in your IAP cluster 9 ClearPass Settings Use this section to configure the ClearPass P...

Page 290: ...ore information on configuring ClearPass Policy Manager server see Configuring an External Server for Authentication on page 156 Assigning a Server to AirGroup To associate the ClearPass Policy Manager server with AirGroup select the ClearPass Policy Manager server from the CPPM Server 1 drop down list If two ClearPass Policy Manager servers are configured the CPPM server 1 acts as a primary serve...

Page 291: ...ch the location reports must be sent 5 Specify the shared secret key in the Passphrase text box 6 In the Update text box specify the frequency at which the VC can send updates to the server You can specify a value within the range of 5 3600 seconds The default value is 5 seconds 7 Select the Include unassociated stations check box to send reports to the RTLS server about the stations that are not ...

Page 292: ...tion firewall data showing the destinations and applications used by associated devices l Current location l Historical location ALE requires the IAP placement data to be able to calculate location for the devices in a network ALE with Instant The Instant 6 3 1 1 4 0 release supports Analytics and Location Engine ALE The ALE server acts as a primary interface to all third party applications and th...

Page 293: ...ils Instant AP show ale config To verify the configuration status Instant AP show ale status Managing BLE Beacons In Instant 6 4 3 4 4 2 1 0 IAPs support Aruba Bluetooth Low Energy BLE devices such as BT 100 and BT 105 which are used for location tracking and proximity detection The BLE devices can be connected to an IAP and are monitored or managed by a cloud based Beacon Management Console BMC T...

Page 294: ...f the IAP is turned off The BLE operation mode is set to Disabled by default DynamicConsole The built in BLE chip of the IAP functions in the beaconing mode and dynamically enables access to IAP console over BLE when the link to the Local Management Switch LMS is lost PersistentConsole The built in BLE chip of the IAP provides access to the IAP console over BLE and also operates in the Beaconing m...

Page 295: ...as mapping IP address and user information for its clients in the network and can provide the required information for the user ID on PAN firewall Before sending the user ID mapping information to the PAN firewall the IAP must retrieve an API key that will be used for authentication for all APIs IAP provides the User ID mapping information to the PAN firewall for integration The client user id for...

Page 296: ...efault port is 443 7 Specify the static Client Domain to be mapped to the client User IDs that do not have a domain name of its own 8 Click OK In the CLI To enable PAN firewall integration with the IAP Instant AP config firewall external enforcement pan Instant AP firewall external enforcement pan enable Instant AP firewall external enforcement pan domain name name Instant AP firewall external enf...

Page 297: ...l Once the operation is completed VC sends the XML response to the XML server l Users can use the response and take appropriate action to suit their requirements The response from the VC is returned using the predefined formats Configuring an IAP for XML API integration You can configure an IAP for XML API integration by using the Instant UI or the CLI IAP supports the configuration of up to 8 XML...

Page 298: ...users user_delete This command deletes an existing user from the user table of the VC NOTE Do not use the user_delete command if the intention is to clear the association from the VC user table If the client is dual stack it re inherits the authentication state from the IPv6 address If not dual stack the client reverts to the initial role user_authenticate This command authenticates against the se...

Page 299: ...ored if shared secret is not configured on the switch The actual MD5 SHA 1 hash is 16 20 bytes and consists of binary data It must be encoded as an ASCII based HEX string before sending It must be present when the VC is configured with an xml API key for the server Encoded hash length is 32 40 bytes for MD5 SHA 1 version The version of the XML API interface available in the VC This is mandatory in...

Page 300: ...e IAP to the CALEA server Figure 80 IAP to CALEA Server Traffic Flow from IAP to CALEA Server through VPN You can also deploy the CALEA server with the controller and configure an additional IPsec tunnel for corporate access When CALEA server is configured with the controller the client traffic is replicated by the slave IAP and client data is encapsulated by GRE on slave and routed to the master ...

Page 301: ... to use a CALEA rule connects a replication role is assigned l Through Change of Authorization CoA In this method a user session can start without replication When the network administrator triggers a CoA from the RADIUS server the user session is replicated The replication is stopped when the user disconnects or by sending a CoA to change the replication role As the client information is shared b...

Page 302: ...e default MTU size is 1500 4 Click OK In the CLI To create a CALEA profile Instant AP config calea Instant AP calea ip IP address Instant AP calea ip mtu size Instant AP calea encapsulation type gre Instant AP calea gre type type Instant AP calea end Instant AP commit apply Creating an Access Rule for CALEA You can create an access rule for CALEA by using the Instant UI or the CLI In the Instant U...

Page 303: ...p profile name access rule name name Instant AP Wired ap profile name end Instant AP commit apply Verifying the configuration To verify the CALEA configuration Instant AP show calea config To view the tunnel encapsulation statistics Instant AP show calea statistics Example To enable CALEA integration Instant AP config calea Instant AP calea ip 192 0 2 7 Instant AP calea ip mtu 1500 Instant AP cale...

Page 304: ...Calea Test dmo channel utilization threshold 90 Instant AP SSID Profile Calea Test local probe req thresh 0 Instant AP SSID Profile Calea Test max clients threshold 64 Instant AP SSID Profile Calea Test end Instant AP SSID Profile Calea Test commit apply To verify the configuration Instant AP show calea config calea ip 10 0 0 5 encapsulation type gre gre type 25944 ip mtu 150 To view the tunnel en...

Page 305: ...evices by defining a minimum acceptable firmware version for each make and model of a device It remotely distributes the firmware image to the WLAN devices that require updates and it schedules the firmware updates such that updating is completed without requiring you to manually monitor the devices The following models can be used to upgrade the firmware l Automatic In this model the VC periodica...

Page 306: ...ion is detected and automatically repairs the incorrectly configured devices Figure 82 Template Based Configuration Trending Reports AirWave saves up to 14 months of actionable information including network performance data and user roaming patterns so you can analyze how network usage and performance trends have changed over time It also provides detailed capacity reports with which you can plan ...

Page 307: ...e IAP authenticates the AMP server using the Pre Shared Key PSK login process l organization ams domain If you select this format the IAP resolves the AirWave domain name into one or two IP addresses as AirWave Primary or AirWave Backup and then IAP starts a certificate based authentication with AMP server instead of the PSK login When the AMP domain name is used the IAP performs certificate based...

Page 308: ...Now link of the main window The System window is displayed with the AirWave parameters on the Admin tab 2 Enter the name of your organization in the Organization name text box The name defined for the organization is displayed under the Groups tab in the AirWave UI 3 Enter the IP address or domain name of the AirWave server in the AirWave server text box 4 Enter the IP address or domain name of a ...

Page 309: ...he DNS server records for aruba airwave xxx When there is no domain option the IAP will search only the server records for aruba airwave To enable IAPs to automatically discover the AMP server create a DNS record for aruba airwave xxx or aruba airwave in the DNS server To use this feature on the AirWave side enable certificate based login For information on how to enable certificate based login se...

Page 310: ...ormation n Name Instant n Data Type String n Code 60 n Description Instant AP Figure 85 Instant and DHCP options for AirWave Predefined Options and Values 5 Navigate to Server Manager and select Server Options in the IPv4 window This sets the value globally Use options on a per scope basis to override the global options 6 Right click Server Options and select the configuration options ...

Page 311: ...87 Instant and DHCP options for AirWave 060 IAP in Server Options 8 Select 043 Vendor Specific Info and enter a value for either of the following in the ASCII text box l airwave orgn airwave ip airwave key for example Aruba 192 0 2 20 12344567 l airwave orgn airwave domain for example Aruba aruba support com Aruba Instant 6 5 0 0 4 3 0 0 User Guide IAP Management and Monitoring 311 ...

Page 312: ...ide Figure 88 Instant and DHCP options for 043 Vendor Specific Info This creates DHCP options 60 and 43 on a global basis You can do the same on a per scope basis The per scope option overrides the global option Figure 89 Instant and DHCP options for AirWave Scope Options ...

Page 313: ...n specify only one option 43 for a scope and if other devices that use option 43 connect to this subnet they are presented with the information specific to the IAP 1 In Windows Server 2008 navigate to Server Manager Roles DHCP Server Domain DHCP Server IPv4 2 Select a scope subnet Scope 10 169 145 0 145 is selected in the example shown in the figure below 3 Right click and select Advanced and then...

Page 314: ...Wave Monitor Managing IAP from Aruba Central The Aruba Central user interface provides a standard web based interface that allows you to configure and monitor multiple Aruba Instant networks from anywhere with a connection to the Internet Central supports all the IAPs running Instant 6 2 1 0 3 3 0 0 or later versions ...

Page 315: ...can choose to move the IAP to a different group that you created The configuration defined in this group is automatically applied to the IAP Maintaining the Subscription List Aruba Central maintains a subscription list for the IAPs If an IAP is not included in this list Central identifies it as an unauthorized IAP and prevents it from joining the network The service providers use Aruba Central to ...

Page 316: ...d software images from the Aruba Cloud Based Image Service You may also need to configure HTTP proxy settings on the IAP if they are required for Internet access in your network For more information about image upgrade and HTTP proxy configuration see sections Image Management Using Cloud Server on page 348 and Configuring HTTP Proxy on an IAP on page 348 ...

Page 317: ... can be used to extend the connectivity to places where an Ethernet uplink cannot be configured It also provides a reliable backup link for the Ethernet based Instant network The following figure illustrates a scenario in which the IAPs join the VC as slave IAPs through a wired or mesh Wi Fi uplink Figure 93 Uplink Types The following types of uplinks are supported on Instant l Ethernet Uplink l C...

Page 318: ... effect The PPPoE connection is dialed after the IAP comes up The PPPoE configuration is checked during IAP boot and if the configuration is correct Ethernet is used for the uplink connection When PPPoE is used do not configure Dynamic RADIUS Proxy and IP address of the VC An SSID created with default VLAN is not supported with PPPoE uplink You can also configure an alternate Ethernet uplink to en...

Page 319: ...e pppoe unnumbered local l3 dhcp profile dhcp profile Instant AP pppoe uplink profile end Instant AP commit apply To view the PPPoE configuration Instant AP show pppoe config PPPoE Configuration Type Value User testUser Password 3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c Service name internet03 CHAP secret 8e87644deda9364100719e017f88ebce Unnumbered dhcp profile dhcpProfile1 To view the PPPo...

Page 320: ...tty port Instant AP cellular uplink profile usb init Initialization parameter Instant AP cellular uplink profile usb dial dial parameter Instant AP cellular uplink profile usb modeswitch usb modem Instant AP cellular uplink profile end Instant AP commit apply To switch a modem from the storage mode to modem mode Instant AP cellular uplink profile usb modeswitch usb modem To view the cellular confi...

Page 321: ... In the Instant UI To provision an IAP with the Wi Fi uplink 1 If you are configuring a Wi Fi uplink after restoring factory settings on an IAP connect the IAP to an Ethernet cable to allow the IAP to get the IP address Otherwise go to step 2 2 Click the System link on the Instant main window 3 In the System section click the Show advanced options link The advanced options are displayed 4 Click th...

Page 322: ...g ESSID Cipher Suite Passphrase Band Instant AP show wifi uplink auth log wifi uplink auth configuration wifi uplink auth log 1116 2000 01 01 00 00 45 625 Global control interface tmp supp_gbl Uplink Preferences and Switching This topic describes the following procedures l Enforcing Uplinks on page 322 l Setting an Uplink Priority on page 323 l Enabling Uplink Preemption on page 323 l Switching Up...

Page 323: ...ber 4 Click OK The selected uplink is enforced on the IAP In the CLI To enforce an uplink Instant AP config uplink Instant AP uplink enforce cellular ethernet wifi none Instant AP uplink end Instant AP commit apply Setting an Uplink Priority You can set an uplink priority by using the Instant UI or the CLI In the Instant UI Setting an uplink priority 1 Click System show advanced settings Uplink 2 ...

Page 324: ... VPN connection status instead of only using the Ethernet or the physical backhaul link The following configuration conditions apply to uplink switching l If the current uplink is Ethernet and the VPN connection is down the IAP tries to reconnect to VPN The retry time depends on the fast failover configuration and the primary or backup VPN tunnel If this fails the IAP waits for the VPN failover ti...

Page 325: ...u can specify a value within the range of 1 1000 n Secs between test packets The frequency at which ICMP test packets are sent You can specify a value within the range of 1 3600 seconds n Internet check timeout Internet check timeout is the duration for the test packet timeout You can specify a value within the range of 0 3600 seconds and the default value is 10 seconds l Internet failover IP To c...

Page 326: ... 1 Max allowed test packet loss 10 Secs between test packets 30 VPN failover timeout secs 180 Internet check timeout secs 10 ICMP pkt sent 1 ICMP pkt lost 1 Continuous pkt lost 1 VPN down time 0 AP1X type NONE Certification type NONE Validate server NONE To view the uplink configuration in the CLI Instant AP show uplink config Uplink preemption enable Uplink preemption interval 600 Uplink enforce ...

Page 327: ...onsidered a direct security threat because it is not connected to the wired network However an interfering IAP may be reclassified as a rogue IAP To detect the rogue IAPs click the IDS link in the Instant main window The built in IDS scans for access points that are not controlled by the VC These are listed and classified as either Interfering or Rogue depending on whether they are on a foreign ne...

Page 328: ...n access points l Client Detection Policies Specifies the policy for detecting wireless attacks on clients l Infrastructure Protection Policies Specifies the policy for protecting access points from wireless attacks l Client Protection Policies Specifies the policy for protecting clients from wireless attacks l Containment Methods Prevents unauthorized stations from connecting to your Instant netw...

Page 329: ...dcast l IDS Signature Deassociation Broadcast Medium l Detect ad hoc networks using VALID SSID Valid SSID list is autoconfigured based on Instant IAP configuration l Detect Malformed Frame Large Duration High l Detect IAP Impersonation l Detect ad hoc Networks l Detect Valid SSID Misuse l Detect Wireless Bridge l Detect 802 11 40 MHz intolerance settings l Detect Active 802 11n Greenfield Mode Tab...

Page 330: ...ies The following table describes the detection policies enabled in the Client Detection Custom settings text box Detection Level Detection Policy Off All detection policies are disabled Low l Detect Valid Station Misassociation Medium l Detect Disconnect Station Attack l Detect Omerta Attack l Detect FATA Jack Attack l Detect Block ACK DOS l Detect Hotspotter Attack l Detect unencrypted Valid Cli...

Page 331: ...from Instant configuration l Rogue Containment High l Protect from ad hoc Networks l Protect IAP Impersonation Table 69 Infrastructure Protection Policies The following table describes the detection policies that are enabled in the Client Protection Custom settings text box Protection Level Protection Policy Off All protection policies are disabled Low Protect Valid Station High Protect Windows Br...

Page 332: ... the IAP if the MAC address that the IAP provides is offset by one character from its wired MAC address Enable the wired containment susp l3 rogue parameter only when a specific containment is required to avoid a false alarm l Wireless containment When enabled the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point n None Disables al...

Page 333: ...Instant AP IDS detect cts rate anomaly Instant AP IDS detect rts rate anomaly Instant AP IDS detect invalid addresscombination Instant AP IDS detect malformed htie Instant AP IDS detect malformed assoc req Instant AP IDS detect malformed frame auth Instant AP IDS detect overflow ie Instant AP IDS detect overflow eapol key Instant AP IDS detect beacon wrong channel Instant AP IDS detect invalid mac...

Page 334: ...ancy in the mesh network and most mesh points try to mesh directly with one of the two portals However depending on the actual deployment and RF environment some mesh points may mesh through other intermediate mesh points In an Instant mesh network the maximum hop count is two nodes point point portal and the maximum number of mesh points per mesh portal is eight Mesh IAPs detect the environment w...

Page 335: ... up Instant Mesh Network Starting from Instant 6 4 0 2 4 1 0 0 release mesh functionality is disabled by default because of which over the air provisioning of mesh IAPs is not supported To provision IAPs as mesh IAPs 1 Connect the IAPs to a wired switch 2 Ensure that the VC key is synchronized and the country code is configured 3 Ensure that a valid SSID is configured on the IAP 4 If the IAP has a...

Page 336: ...able from the Eth0 Bridging drop down list 5 Click OK 6 Reboot the IAP In the CLI To configure Ethernet bridging Instant AP enet0 bridging Make the necessary changes to the wired profile when eth0 is used as the downlink port For more information see Configuring a Wired Profile on page 108 Aruba Instant 6 5 0 0 4 3 0 0 User Guide Mesh IAP Configuration 336 ...

Page 337: ... access parameters are the same across these networks clients connected to IAPs in a given Instant network can roam to IAPs in a foreign Instant network and continue their existing sessions Clients roaming across these networks are able to continue using their IP addresses after roaming You can configure a list of VC IP addresses across which L3 mobility is supported The Aruba Instant Layer 3 mobi...

Page 338: ...in To allow clients to roam seamlessly among all the IAPs specify the VC IP for each foreign subnet You may include the local Instant or VC IP address so that the same configuration can be used across all Instant networks in the mobility domain It is recommended that you configure all client subnets in the mobility domain When the client subnets are configured note the following scenarios l If a c...

Page 339: ...the client subnet in the IP address text box b Enter the mask in the Subnet mask text box c Enter the VLAN ID of the home network in the VLAN ID text box d Enter the home VC IP address for this subnet in the Virtual controller IP text box 8 Click OK In the CLI To configure a mobility domain Instant AP config l3 mobility Instant AP L3 mobility home agent load balancing Instant AP L3 mobility virtua...

Page 340: ...spectrum band used by the SM s radio 2 4 GHz or 5 GHz An IAP radio in hybrid IAP mode continues to serve clients as an access point while it analyzes spectrum analysis data for the channel the radio uses to serve clients You can record data for both types of spectrum monitor devices However the recorded spectrum is not reported to the VC A spectrum alert is sent to the VC when a non Wi Fi interfer...

Page 341: ...l Generic FF fixed frequency l Generic FH frequency hopper l Generic interferer l Microwave l Microwave inverter l Video l Xbox NOTE For additional details about non Wi Fi device types shown in this table see Non Wi Fi Interferer Types ID ID number assigned to the device by the spectrum monitor or hybrid IAP radio Spectrum monitors and hybrid IAPs assign a unique spectrum ID per device type Cfreq ...

Page 342: ...cy Video These devices typically have close to a 100 duty cycle These types of devices may be used for video surveillance TV or other video distribution and similar applications Fixed Frequency Other All other fixed frequency devices that do not fall into any of the above categories are classified as Fixed Frequency Other Note that the RF signatures of the fixed frequency audio video and cordless ...

Page 343: ...owave Inverter Dual magnetron industrial microwave ovens with higher duty cycle may also be classified as Microwave Inverter There may be other equipment that functions like inverter microwaves in some industrial healthcare or manufacturing environments Those devices may also be classified as Microwave Inverter Generic Interferer Any non frequency hopping device that does not fall into any of the ...

Page 344: ...strength to the combined levels of interference and noise on that channel This value is calculated by determining the maximum noise floor and interference signal levels and then calculating how strong the desired signal is above this maximum Table 73 Channel Details Information Channel Metrics The channel metrics graph displays channel quality availability and utilization metrics as seen by a spec...

Page 345: ...ermined by the percentage of packet retries the current noise floor and the duty cycle for non Wi Fi devices on that channel Availability The percentage of the channel currently available for use Utilization The percentage of the channel being used WiFi Util The percentage of the channel currently being used by Wi Fi devices Interference Util The percentage of the channel currently being used by n...

Page 346: ...Instant UI To convert an IAP to a hybrid IAP 1 Click the RF link on the Instant main window 2 In the RF section click Show advanced options to view the Radio tab 3 To enable a spectrum monitor on the 802 11g radio band in the 2 4 GHz radio profile select Enabled from the Background Spectrum Monitoring drop down list 4 To enable a spectrum monitor on the 802 11a radio band in the 5 GHz radio profil...

Page 347: ...stant AP wifi0 mode access monitor spectrum monitor Instant AP wifi1 mode access monitor spectrum monitor To enable spectrum monitoring for any other band for the 5 GHz radio Instant AP config rf dot11a radio profile Instant AP RF dot11a Radio Profile spectrum band type To view the radio configuration Instant AP show radio config 2 4 GHz Legacy Mode disable Beacon Interval 100 802 11d 802 11h disa...

Page 348: ... the version running on the VC and if the new IAP belongs to a different class the image file for the new IAP is provided by AirWave If AirWave does not have the appropriate image file the new IAP will not be able to join the network The VC communicates with the AirWave server if AirWave is configured If AirWave is not configured on the IAP the image is requested from the Image server Image Manage...

Page 349: ...ersion of the Instant software on the image server the New version available link is displayed on the Instant main window If AirWave is configured the automatic image check is disabled To check for a new version on the image server in the cloud 1 Go to Maintenance Automatic Check for New Version After the image check is completed one of the following messages is displayed n No new version availabl...

Page 350: ... 0 0 4 3 0 0 0_xxxx l Select the Image URL option Select this option to obtain an image file from a TFTP FTP or HTTP URL n HTTP http IP address image file For example http IP address ArubaInstant_Hercules_ 6 5 0 0 4 3 0 0 0_xxxx n TFTP tftp IP address image file For example tftp IP address ArubaInstant_Hercules_ 6 5 0 0 4 3 0 0 0_xxxx n FTP ftp IP address image file For example ftp IP address Arub...

Page 351: ...nance Configuration page 2 Click Backup Configuration 3 Click Continue to confirm the backup The instant cfg containing the IAP configuration data is saved in your local file system 4 To view the configuration that is backed up by the IAP enter the following command at the command prompt Instant AP show backup config Restoring Configuration To restore configuration 1 Navigate to the Maintenance Co...

Page 352: ...ller based network Before converting an IAP ensure that there is a regulatory domain match between the IAP and the controller The following table describes the regulatory domain restrictions that apply for the IAP to ArubaOS AP conversion IAP Variant IAP Regulatory Domain Controller Regulatory Domain ArubaOS release US Unrestricted IL IAP 314 315 IAP 334 335 US Y X X ArubaOS 6 5 0 0 or later RW X ...

Page 353: ... US Y X X ArubaOS 6 4 3 0 or later RW X Y Y JP X Y X IL X X Y IAP 21x US Y X X ArubaOS 6 4 2 0 or later RW X Y Y JP X Y X IL X X Y IAP 205 US Y X X ArubaOS 6 4 1 0 or later RW X Y Y JP X Y X IL X X Y IAP 274 275 US Y X X ArubaOS 6 4 or later RW X Y Y JP X Y X IL X X Y IAP 103H US Y X X ArubaOS 6 4 or later RW X Y Y JP X Y X IL X X Y Table 75 IAP to ArubaOS Conversion ...

Page 354: ... an IAP to a Remote AP For converting an IAP to a Remote AP the VC sends the Remote AP convert command to all the other IAPs The VC along with the slave IAPs sets a VPN tunnel to the remote controller and downloads the firmware through FTP The VC uses IPsec to communicate to the Mobility Controller over the Internet l If the IAP obtains AirWave information through DHCP Option 43 and Option 60 it e...

Page 355: ...ause mesh access points do not support VPN connection An IAP can be converted to a Campus AP and Remote AP only if the controller is running ArubaOS 6 1 4 or later versions The following table describes the supported IAP platforms and minimal ArubaOS version required for the Campus AP or Remote AP conversion Table 76 IAP Platforms and Minimum ArubaOS Versions for IAP to Remote AP Conversion IAP Pl...

Page 356: ...fully qualified domain name or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box Contact your local network administrator to obtain the IP address Ensure that the Mobility Controller IP address is reachable by the IAPs 5 Click Convert Now to complete the conversion The IAP reboots and begins operating in the Remote AP mode 6 After conversion the IAP is ...

Page 357: ...lity Controller text box Contact your local administrator to obtain these details 5 Click Convert Now to complete the conversion Converting an IAP to Stand Alone Mode This feature allows you to deploy an IAP as an autonomous IAP which is a separate entity from the existing VC cluster in the Layer 2 domain When an IAP is converted to function in stand alone mode it cannot join a cluster of IAPs eve...

Page 358: ...e reset knob located on the rear of an IAP can be used to reset the IAP to factory default settings To reset an IAP perform the following steps 1 Turn off the IAP 2 Press and hold the reset knob using a small and narrow object such as a paperclip 3 Turn on the IAP without releasing the reset knob The power LED flashes within 5 seconds indicating that the reset is completed 4 Release the reset knob...

Page 359: ... the IAPs in the network click Reboot All 4 The Confirm Reboot for AP message is displayed Click Reboot Now to proceed The Reboot in Progress message is displayed indicating that the reboot is in progress The Reboot Successful message is displayed after the process is complete If the system fails to boot the Unable to contact Access Points after reboot was initiated message is displayed 5 Click OK...

Page 360: ...An IAP cannot use Simple Network Management Protocol SNMP to set values in an Aruba system You can configure the following parameters for an IAP Parameter Description Community Strings for SNMPV1 and SNMPV2 An SNMP community string is a text string that acts as a password and is used to authenticate messages sent between the VC and the SNMP agent If you are using SNMPv3 to obtain values from the I...

Page 361: ...at is used This takes the value DES CBC DES Symmetric Encryption Privacy protocol password If messages sent on behalf of this user can be encrypted decrypted with DES the private privacy key with the privacy protocol is used Table 77 SNMP Parameters for IAP Configuring SNMP This section describes the procedure for configuring SNMPv1 SNMPv2 and SNMPv3 community strings by using the Instant UI or th...

Page 362: ...elect the type of privacy protocol from the Privacy protocol drop down list 8 Enter the privacy protocol password in the Password text box and retype the password in the Retype text box 9 Click OK 10 To edit the details for a particular user select the user and click Edit 11 To delete a particular user select the user and click Delete Configuring SNMP Community Strings in the CLI To configure an S...

Page 363: ...the agent in the device and is unique to that internal network 3 Click New and update the following information l IP Address Enter the IP Address of the new SNMP Trap receiver l Version Select the SNMP version v1 v2c v3 from the drop down list The version specifies the format of traps generated by the access point l Community Username Specify the community string for SNMPv1 and SNMPv2c traps and a...

Page 364: ...Even the master IAP sends the syslog source address from its actual IP address 5 Select the required values to configure syslog facility levels Syslog Facility is an information field associated with a syslog message It is an application or operating system component that generates a log message The following seven facilities are supported by Syslog l AP Debug Detailed log about the IAP device l N...

Page 365: ...e for all Syslog facilities Informational Messages of general interest to system users Debug Messages containing information useful for debugging Table 78 Logging Levels 6 Click OK In the CLI To configure a syslog server Instant AP config syslog server IP address To configure syslog facility levels Instant AP config syslog level logging level ap debug network security system user user debug wirele...

Page 366: ... that you can run through the UI and the corresponding CLI commands For more information on these commands refer to the respective command page in the Aruba Instant 6 5 0 0 4 3 0 0 CLI Reference Guide Instant AP show support commands Support Commands Description Command Name AP Tech Support Dump show tech support AP Tech Support Dump Supplemental show tech support supplemental AP Provisioning Stat...

Page 367: ... ACL Tables show datapath acl all AP Datapath Bridge Table show datapath bridge AP Datapath DMO session show datapath dmo session AP Datapath DMO station show datapath dmo station AP Datapath Dns Id Map show datapath dns id map AP Datapath Multicast Table show datapath mcast AP Datapath Nat Pool show datapath nat pool AP Datapath Route Table show datapath route AP Datapath Session Table show datap...

Page 368: ...le show ap monitor pot sta list AP Monitor Router show ap monitor routers AP Monitor Scan Information show ap monitor scan info AP Monitor Status show ap monitor status AP Persistent Clients show ap debug persistent clients AP PMK Cache show ap pmkcache AP PPPoE uplink debug show pppoe debug logs AP PPPoE uplink status show pppoe status AP Processes show process AP Radio 0 Client Probe Report show...

Page 369: ...Received show ap debug airwave config received VC AMP Single Sign on Key show ap debug airwave signon key VC AMP Configuration Restore Status show ap debug airwave restore status VC Central Current State Data show ap debug cloud state VC Central Current Stats Data show ap debug cloud stats VC Central Data Sent show ap debug cloud data sent VC Central Events Pending show ap debug cloud events pendi...

Page 370: ...stant AP speed test server port port Instant AP speed test protocol tcp udp Instant AP speed test on boot Instant AP speed test time interval interval Instant AP speed test bandwidth bandwidth Instant AP speed test sec to measure secs Instant AP speed test end Instant AP commit apply To configure and execute a speed test at any point in time Instant AP speed test server protocol bandwidth include ...

Page 371: ...371 Monitoring Devices and Logs Aruba Instant 6 5 0 0 4 3 0 0 User Guide Type Value VC package 0 RSSI package 0 APPRF package 0 URLv package 0 STATE package 0 STAT package 0 UPLINK BW package 0 Total 0 ...

Page 372: ...d selection Generic Advertisement Service GAS and Access Network Query Protocol ANQP are used l QOS Mapping Provides a mapping between the network layer QoS packet marking and over the air QoS frame marking based on user priority When a hotspot is configured in a network l The clients search for available hotspots using the beacon management frame l When a hotspot is found the client sends queries...

Page 373: ...vide additional data that can be sent from an IAP to the client to identify the IAP s network and service provider If a client requests this information through a GAS query the hotspot IAP sends the ANQP capability list in the GAS Initial Response frame indicating support for the following IEs l Venue Name l Domain Name l Network Authentication Type l Roaming Consortium List l Network Access Ident...

Page 374: ...n Venue Name Profile n Network Authentication Profile n Roaming Consortium Profile n 3GPP Profile n IP Address availability Profile n Domain Name Profile l H2QP advertisement profiles n Operator Friendly Name Profile n Connection Capability Profile n Operating Class Profile n WAN Metrics Profile Configuring an NAI Realm Profile You can configure a Network Access Identifier NAI Realm profile to def...

Page 375: ...ric value is 25 l crypto card To use crypto card authentication The associated numeric value is 28 l peapmschapv2 To use PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 MSCHAPv2 The associated numeric value is 29 l eap aka To use EAP for Universal Mobile Telecommunications System UMTS Authentication and Key Agreement AKA The associated numeric value is 50 The following ta...

Page 376: ...eric value is 3 l hw token The associated numeric value is 4 l softoken The associated numeric value is 5 l certificate The associated numeric value is 6 l uname passward The associated numeric value is 7 l none The associated numeric value is 8 l reserved The associated numeric value is 9 l vendor specific The associated numeric value is 10 Table 79 NAI Realm Profile Configuration Parameters Conf...

Page 377: ...ociated numeric value is 13 l zoo or aquarium The associated numeric value is 14 l emergency cord center The associated numeric value is 15 business The associated numeric value is 2 l unspecified The associated numeric value is 0 l doctor The associated numeric value is 1 l bank The associated numeric value is 2 l fire station The associated numeric value is 3 l police station The associated nume...

Page 378: ...s 3 l boarding house The associated numeric value is 4 storage The associated numeric value is 8 unspecified The associated numeric value is 0 utility misc The associated numeric value is 9 unspecified The associated numeric value is 0 vehicular The associated numeric value is 10 l unspecified The associated numeric value is 0 l automobile or truck The associated numeric value is 1 l airplane The ...

Page 379: ... address FQDN or URL Configuring a Roaming Consortium Profile You can configure a roaming consortium profile to send the roaming consortium information as an ANQP IE in a GAS query response To configure a roaming consortium profile Instant AP config hotspot anqp roam cons profile name Instant AP roaming consortium name roam cons oi roam cons oi Instant AP roaming consortium name roam cons oi len r...

Page 380: ...op lang code Instant AP operator friendly name name enable Instant AP operator friendly name name end Instant AP commit apply Configuring a Connection Capability Profile You can configure a connection capability profile to define information such as the hotspot IP protocols and associated port numbers that are available for communication To configure an H2QP connection capability profile Instant A...

Page 381: ...The default value of 0 indicates that the downlink speed is unknown or unspecified l Uplink speed Indicates the WAN uplink speed in Kbps l Load duration Indicates the duration in seconds during which the downlink utilization is measured l Symmetric links Indicates if the uplink and downlink have the same speed l WAN Link Status Indicates if the WAN is down link down up link up or in test state lin...

Page 382: ...or camera configured with a printer for the purpose of printing The corresponding integer value for this network type is 4 l emergency services This network is limited to accessing emergency services only The corresponding integer value for this network type is 5 l test This network is used for test purposes only The corresponding integer value for this network type is 14 l wildcard This network i...

Page 383: ...exchange query response length limit Specify this parameter to set the maximum length of the GAS query response in octets You can specify a value within the range of 1 127 The default value is 127 roam cons len 1 roam cons len 2 roam cons len 3 Specify the length of the organization identifier OI That is the value for the length of OIs of roam cons len 1 roam cons len 2 or roam cons len 3 The roam...

Page 384: ...files see Creating Advertisement Profiles for Hotspot Configuration on page 374 advertisement protocol Specify the advertisement protocol type for example specify the Access Network Query Protocol ANQP as anqp Table 82 Advertisement Profile Association Parameters Creating a WLAN SSID and Associating Hotspot Profile To create a WLAN SSID with Enterprise Security and WPA 2 Encryption Settings Instan...

Page 385: ...ons oi 888888 Instant AP roaming consortium rc1 exit Instant AP config hotspot anqp 3gpp profile 3g Instant AP 3gpp 3g 3gpp plmn1 40486 Instant AP 3gpp 3g exit Instant AP config hotspot anqp ip addr avail profile ip1 Instant AP IP addr avail ip1 no ipv4 addr avail Instant AP IP addr avail ip1 ipv6 addr avail Instant AP IP addr avail ip1 exit Instant AP config hotspot anqp domain name profile dn1 I...

Page 386: ... 0 Instant AP Hotspot2 0 hs1 venue group business Instant AP Hotspot2 0 hs1 venue type research and dev facility Instant AP Hotspot2 0 hs1 pame bi Instant AP Hotspot2 0 hs1 group frame block Instant AP Hotspot2 0 hs1 p2p dev mgmt Instant AP Hotspot2 0 hs1 p2p cross connect Instant AP Hotspot2 0 hs1 end Instant AP commit apply Step 3 Associating advertisement profiles with the hotspot profile Insta...

Page 387: ...idProfile1 l2 auth failthrough Instant AP SSID Profile ssidProfile1 radius accounting Instant AP SSID Profile ssidProfile1 radius accounting mode user association Instant AP SSID Profile ssidProfile1 radius interim accounting interval 10 Instant AP SSID Profile ssidProfile1 radius reauth interval 20 Instant AP SSID Profile ssidProfile1 max authentication failures 2 Instant AP SSID Profile ssidProf...

Page 388: ... ArubaOS User Guide Mobility Access Switch Integration with an IAP You can integrate an IAP with a Mobility Access Switch by connecting it directly to the switch port The following integration features can be applied while integrating Mobility Access Switch with an IAP l Rogue AP containment When a rogue IAP is detected by an IAP it sends the MAC Address of the rogue IAP to the Mobility Access Swi...

Page 389: ...gure the VLANs on the ports to which the IAPs are connected You can enable Mobility Access Switch integration either by using the Instant UI or the CLI In the Instant UI To enable the Mobility Access Switch integration 1 Navigate to System General 2 Select Enabled from the MAS integration drop down list The MAS integration status is displayed in the Info area of the main window as shown in the fol...

Page 390: ...guring ClearPass Guest on page 390 Verifying ClearPass Guest Setup on page 394 Troubleshooting on page 394 Configuring ClearPass Guest To configure ClearPass Guest 1 From the ClearPass Guest UI navigate to Administration AirGroup Services 2 Click Configure AirGroup Services Figure 114 Configure AirGroup Services 3 Click Add a new controller ...

Page 391: ...tion Figure 116 Configure AirGroup Services Controller Settings 5 Click Save Configuration In order to demonstrate AirGroup either an AirGroup Administrator or an AirGroup Operator account must be created Creating AirGroup Administrator and Operator Account To create a AirGroup administrator and AirGroup operator account using the ClearPass Policy Manager UI 1 Navigate to the ClearPass Policy Mana...

Page 392: ...2 Click Add User 3 Create an AirGroup Administrator by entering the required values Figure 118 Create an AirGroup Administrator 4 Click Add 5 Now click Add User to create an AirGroup Operator Aruba Instant 6 5 0 0 4 3 0 0 User Guide ClearPass Guest Setup 392 ...

Page 393: ...perator role The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen Figure 120 Local Users UI Screen 7 Navigate to the ClearPass Guest UI and click Logout The ClearPass Guest Login page is displayed Use the AirGroup admin credentials to log in 8 After logging in click Create Device Figure 121 Create a Device ...

Page 394: ...the AppleTV access the ClearPass Guest UI using either the AirGroup admin or the AirGroup operator credentials Next navigate to List Devices Test Apple TV Edit Add a username that is not used to log in to the Apple devices in the Shared With box 3 Disconnect and remove the OSX Mountain Lion iOS 6 device from the controller s user table Reconnect the device by not using the username that you added ...

Page 395: ... Setup Aruba Instant 6 5 0 0 4 3 0 0 User Guide Problem Solution Limiting devices has no effect Ensure IPv6 is disabled Apple Macintosh running Mountain Lion can use AirPlay but iOS devices cannot Ensure IPv6 is disabled ...

Page 396: ...ess SSID configuration All these are optional In most networks a single DHCP profile and wireless SSID configuration referring to a DHCP profile is sufficient The following scenarios are described in this section l Scenario 1 IPsec Single Datacenter Deployment with No Redundancy on page 397 l Scenario 2 IPsec Single Datacenter with Multiple Controllers for Redundancy on page 401 l Scenario 3 IPsec...

Page 397: ...es respectively 7 Access rules defined for wired and wireless networks to permit all traffic Topology Figure 123 shows the topology and the IP addressing scheme used in this scenario Figure 123 Scenario 1 IPsec Single datacenter Deployment with No Redundancy The following IP addresses are used in the examples for this scenario l 10 0 0 0 8 is the corporate network l 10 20 0 0 16 subnet is reserved...

Page 398: ...rver type Distributed L3 Instant AP DHCP Profile l3 dhcp server vlan 30 Instant AP DHCP Profile l3 dhcp ip range 10 30 0 0 10 30 255 255 Instant AP DHCP Profile l3 dhcp dns server 10 1 1 50 10 1 1 30 Instant AP DHCP Profile l3 dhcp domain name corpdomain com Instant AP DHCP Profile l3 dhcp client count 200 NOTE The IP range configuration on each branch will be the same Each IAP will derive a small...

Page 399: ... wired port profile wired port exit Instant AP config enet1 port profile wired port Configure a wireless SSID to operate in L3 mode and associate Distributed L3 mode VLAN 30 to the WLAN SSID profile Instant AP config wlan ssid profile wireless ssid Instant AP SSID Profile wireless ssid enable Instant AP SSID Profile wireless ssid type employee Instant AP SSID Profile wireless ssid essid wireless s...

Page 400: ...with No Redundancy IAP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multiple IAP deployments as client traffic from the slave to the master is tagged with the client VLAN Datacenter Configuration For information on controller configuration see Configuring a Controller for IAP VPN Operations on page 247 Ensure that the upstream route...

Page 401: ...s are tunneled to the controller l Distributed L3 and Centralized L2 mode DHCP on all branches L3 is used by the employee network and L2 is used by the guest network with captive portal l Wired and wireless users in L2 and L3 modes l Access rules defined for wired and wireless networks Topology Figure 124 shows the topology and the IP addressing scheme used in this scenario Figure 124 Scenario 2 I...

Page 402: ...55 255 255 255 0 0 0 0 Instant AP routing profile route 10 2 2 2 255 255 255 255 0 0 0 0 Instant AP routing profile route 199 127 104 32 255 255 255 255 0 0 0 0 See Configuring Routing Profiles 4 Configure Enterprise DNS The configuration example in the next column tunnels all DNS queries to the original DNS server of clients without proxying on IAP Instant AP config internal domains Instant AP do...

Page 403: ...to operate in L3 mode and associate Distributed L3 mode VLAN 30 to the wired port profile Instant AP config wired port profile wired port Instant AP wired port profile wired port switchport mode access Instant AP wired port profile wired port allowed vlan all Instant AP wired port profile wired port native vlan 30 Instant AP wired port profile wired port no shutdown Instant AP wired port profile w...

Page 404: ...ule any any match any any any permit For WLAN SSID Instant AP config wlan access rule guest Instant AP Access Rule guest rule any any match any any any permit See Configuring ACL Rules for Network Services NOTE Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the IAP cluster Table 85 IAP Configuration for Scenario 2 ...

Page 405: ...d one Local mode DHCP server l RADIUS server within corporate network and authentication survivability enabled for branch survivability l Wired and wireless users in L3 and NAT modes respectively l Access rules for wired and wireless users with source NAT based rule for contractor roles to bypass global routing profile l OSPF based route propagation on controller Topology Figure 125 shows the topo...

Page 406: ...rise DNS for split DNS The example in the next column uses a specific enterprise domain to tunnel all DNS queries matching that domain to corporate Instant AP config internal domains Instant AP domains domain name corpdomain com See Configuring Enterprise Domains 4 Configure Distributed L3 DHCP profiles with VLAN 30 and VLAN 40 Distributed L3 profile with VLAN 30 Instant AP config ip dhcp l3 dhcp ...

Page 407: ...rver server1 port 1812 Instant AP Auth Server server1 acctport 1813 Instant AP Auth Server server1 key presharedkey Instant AP Auth Server server1 exit Instant AP config wlan auth server server2 Instant AP Auth Server server1 ip 10 2 2 2 Instant AP Auth Server server1 port 1812 Instant AP Auth Server server1 acctport 1813 Instant AP Auth Server server1 key presharedkey See Configuring an External ...

Page 408: ...L3 mode VLAN 40 to the WLAN SSID profile Instant AP config wlan ssid profile wireless ssid contractor Instant AP SSID Profile wireless ssid contractor enable Instant AP SSID Profile wireless ssid contractor type contractor Instant AP SSID Profile wireless ssid contractor essid wireless ssid contractor Instant AP SSID Profile wireless ssid contractor opmode wpa2 aes Instant AP SSID Profile wireless...

Page 409: ...src nat NOTE Ensure that you execute the commit apply command in the Instant CLI before saving the configuration and propagating changes across the IAP cluster Table 86 IAP Configuration for Scenario 3 IPsec Multiple Datacenter Deployment IAP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multiple IAP deployments as client traffic fro...

Page 410: ...ity Controller or any device that supports GRE termination l Tunneling of all traffic to datacenter l Centralized L2 mode DHCP profile l RADIUS server within corporate network and authentication survivability for branch survivability l Wired and wireless users in L2 mode l Access rules defined for wired and wireless networks to permit all traffic Topology Figure 126 shows the topology and the IP a...

Page 411: ...NOTE Starting with Instant 6 5 0 0 4 3 0 0 if VC IP is configured and per AP GRE tunnel is disabled IAP uses VC IP as the GRE source IP For Manual GRE this simplifies configuration on controller since only the VC IP destined GRE tunnel interface configuration is required See Configuring Aruba GRE Parameters and Configuring Manual GRE Parameters 2 Configure routing profiles to tunnel traffic throug...

Page 412: ...ed port switchport mode access Instant AP wired port profile wired port allowed vlan all Instant AP wired port profile wired port native vlan 20 Instant AP wired port profile wired port no shutdown Instant AP wired port profile wired port access rule name wired port Instant AP wired port profile wired port type employee Instant AP wired port profile wired port auth server server1 Instant AP wired ...

Page 413: ...gle Datacenter Deployment with No Redundancy IAP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multiple IAP deployments as client traffic from the slave to the master is tagged with the client VLAN Datacenter Configuration For information on controller configuration see Configuring a Controller for IAP VPN Operations on page 247 The ...

Page 414: ... and employs orthogonal frequency division multiplexing OFDM the modulation scheme used in 802 11a to obtain higher data speed Computers or terminals set up for 802 11g can fall back to speeds of 11 Mbps so that 802 11b and 802 11g devices can be compatible within a single network 802 11n Wireless networking standard to improve network throughput over the two previous standards 802 11a and 802 11g...

Page 415: ...exchanger MX records The Address A record is the most important record that is stored in a DNS server because it provides the required IP address for a network peripheral or element DST Daylight saving time DST also known as summer time is the practice of advancing clocks so that evenings have more daylight and mornings have less Typically clocks are adjusted forward one hour near the start of spr...

Page 416: ...s not support PoE midspan power injectors are used PPPoE Point to Point Protocol over Ethernet PPPoE is a method of connecting to the Internet typically used with DSL services where the client connects to the DSL modem QoS Quality of Service QoS refers to the capability of a network to provide better service to a specific network traffic over various technologies RF Radio Frequency RF refers to th...

Page 417: ...nsure privacy wireless Describes telecommunications in which electromagnetic waves rather than some form of wire carry the signal over part or all of the communication path wireless network In a Wireless LAN WLAN laptops desktops PDAs and other computer peripherals are connected to each other without any network cables These network elements or clients use radio signals to communicate with each ot...

Page 418: ... ABR Area Border Router AC Access Category ACC Advanced Cellular Coexistence ACE Access Control Entry ACI Adjacent Channel interference ACL Access Control List AD Active Directory ADO Active X Data Objects ADP Aruba Discovery Protocol AES Advanced Encryption Standard AIFSN Arbitrary Inter frame Space Number ALE Analytics and Location Engine ALG Application Layer Gateway AM Air Monitor AMON Advance...

Page 419: ...ol BLE Bluetooth Low Energy BMC Beacon Management Console BPDU Bridge Protocol Data Unit BRAS Broadband Remote Access Server BRE Basic Regular Expression BSS Basic Service Set BSSID Basic Service Set Identifier BYOD Bring Your Own Device CA Certification Authority CAC Call Admission Control CALEA Communications Assistance for Law Enforcement Act CAP Campus AP CCA Clear Channel Assessment CDP Cisco...

Page 420: ...ation List CSA Channel Switch Announcement CSMA CA Carrier Sense Multiple Access Collision Avoidance CSR Certificate Signing Request CSV Comma Separated Values CTS Clear to Send CW Contention Window DAS Distributed Antenna System dB Decibel dBm Decibel Milliwatt DCB Data Center Bridging DCE Data Communication Equipment DCF Distributed Coordination Function DDMO Distributed Dynamic Multicast Optimi...

Page 421: ...cation DoS Denial of Service DPD Dead Peer Detection DPI Deep Packet Inspection DR Designated Router DRT Downloadable Regulatory Table DS Differentiated Services DSCP Differentiated Services Code Point DSSS Direct Sequence Spread Spectrum DST Daylight Saving Time DTE Data Terminal Equipment DTIM Delivery Traffic Indication Message DTLS Datagram Transport Layer Security DU Data Unit EAP Extensible ...

Page 422: ...ing Protocol EIRP Effective Isotropic Radiated Power EMM Enterprise Mobility Management ESI External Services Interface ESS Extended Service Set ESSID Extended Service Set Identifier EULA End User License Agreement FCC Federal Communications Commission FFT Fast Fourier Transform FHSS Frequency Hopping Spread Spectrum FIB Forwarding Information Base FIPS Federal Information Processing Standards FQD...

Page 423: ...GPS Global Positioning System GRE Generic Routing Encapsulation GUI Graphical User Interface GVRP GARP or Generic VLAN Registration Protocol H2QP Hotspot 2 0 Query Protocol HA High Availability HMD High Mobility Device HSPA High Speed Packet Access HT High Throughput HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IAS Internet Authentication Service ICMP Internet Control ...

Page 424: ...y Association and Key Management Protocol ISP Internet Service Provider JSON JavaScript Object Notation KBps Kilobytes per second Kbps Kilobits per second L2TP Layer 2 Tunneling Protocol LACP Link Aggregation Control Protocol LAG Link Aggregation Group LAN Local Area Network LCD Liquid Crystal Display LDAP Lightweight Directory Access Protocol LDPC Low Density Parity Check LEA Law Enforcement Agen...

Page 425: ...ntrol MAM Mobile Application Management MBps Megabytes per second Mbps Megabits per second MCS Modulation and Coding Scheme MD5 Message Digest 5 MDM Mobile Device Management mDNS Multicast Domain Name System MFA Multi factor Authentication MHz Megahertz MIB Management Information Base MIMO Multiple Input Multiple Output MLD Multicast Listener Discovery MPDU MAC Protocol Data Unit MPLS Multiprotoco...

Page 426: ...otection NAS Network Access Server Network attached Storage NAT Network Address Translation NetBIOS Network Basic Input Output System NIC Network Interface Card Nmap Network Mapper NMI Non Maskable Interrupt NMS Network Management Server NOE New Office Environment NTP Network Time Protocol OAuth Open Authentication OCSP Online Certificate Status Protocol OFA OpenFlow Agent OFDM Orthogonal Frequenc...

Page 427: ...erface PCI Peripheral Component Interconnect PDU Power Distribution Unit PEAP Protected Extensible Authentication Protocol PEAP GTC Protected Extensible Authentication Protocol Generic Token Card PEF Policy Enforcement Firewall PFS Perfect Forward Secrecy PHB Per hop behavior PIM Protocol Independent Multicast PIN Personal Identification Number PKCS Public Key Cryptography Standard PKI Public Key ...

Page 428: ...ss Memory RAP Remote AP RAPIDS Rogue Access Point and Intrusion Detection System RARP Reverse ARP REGEX Regular Expression REST Representational State Transfer RF Radio Frequency RFC Request for Comments RFID Radio Frequency Identification RIP Routing Information Protocol RRD Round Robin Database RSA Rivest Shamir Adleman RSSI Received Signal Strength Indicator RSTP Rapid Spanning Tree Protocol RT...

Page 429: ...ject Alternative Name SCB Station Control Block SCEP Simple Certificate Enrollment Protocol SCP Secure Copy Protocol SCSI Small Computer System Interface SDN Software Defined Networking SDR Software Defined Radio SDU Service Data Unit SD WAN Software Defined Wide Area Network SFTP Secure File Transfer Protocol SHA Secure Hash Algorithm SIM Subscriber Identity Module SIP Session Initiation Protocol...

Page 430: ...ealth SSH Secure Shell SSID Service Set Identifier SSL Secure Sockets Layer SSO Single Sign On STBC Space Time Block Coding STM Station Management STP Spanning Tree Protocol STRAP Secure Thin RAP SU MIMO Single User Multiple Input Multiple Output SVP SpectraLink Voice Priority TAC Technical Assistance Center TACACS Terminal Access Controller Access Control System TCP IP Transmission Control Protoc...

Page 431: ...ification TTL Time to Live TTLS Tunneled Transport Layer Security TXOP Transmission Opportunity U APSD Unscheduled Automatic Power Save Delivery UCC Unified Communications and Collaboration UDID Unique Device Identifier UDP User Datagram Protocol UI User Interface UMTS Universal Mobile Telecommunication System UPnP Universal Plug and Play URI Uniform Resource Identifier URL Uniform Resource Locato...

Page 432: ...rotocol VSA Vendor Specific Attributes VTP VLAN Trunking Protocol WAN Wide Area Network WebUI Web browser User Interface WEP Wired Equivalent Privacy WFA Wi Fi Alliance WIDS Wireless Intrusion Detection System WINS Windows Internet Naming Service WIPS Wireless Intrusion Prevention System WISPr Wireless Internet Service Provider Roaming WLAN Wireless Local Area Network WME Wireless Multimedia Exten...

Page 433: ...nics Engineers IEEE 802 11 standards use the Ethernet protocol and CSMA CA carrier sense multiple access with collision avoidance for path sharing 802 11a Provides specifications for wireless systems Networks using 802 11a operate at radio frequencies in the 5GHz band The specification uses a modulation scheme known as orthogonal frequency division multiplexing OFDM that is especially well suited ...

Page 434: ... which can be a laptop a wireless Ethernet card set to work in promiscuous mode and some kind of an antenna which can be mounted on top of or positioned inside the car Because a WLAN may have a range that extends beyond an office building an outside user may be able to intrude into the network obtain a free Internet connection and possibly gain access to company records and other resources ad hoc ...

Page 435: ...reless devices or systems in fixed locations such as homes and offices Fixed wireless devices usually derive their electrical power from the utility mains unlike mobile wireless or portable wireless which tend to be battery powered Although mobile and portable systems can be used in fixed locations efficiency and bandwidth are compromised compared with fixed systems frequency allocation Use of rad...

Page 436: ...assword username authorization and accounting it is less vulnerable than RADIUS VPN A Virtual Private Network VPN network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization s network A VPN ensures privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Pr...

Page 437: ...and other computer peripherals are connected to each other without any network cables These network elements or clients use radio signals to communicate with each other Wireless networks are set up based on the IEEE 802 11 standards WISP Wireless ISP WISP refers to an internet service provider ISP that allows subscribers to connect to a server at designated hot spots access points using a wireless...

Reviews: